This article is intended for customers using Enforce.



DKIM is an internet standard that is one of the two ways you can authenticate emails for DMARC. It can be used to prove not only that an email is from who it says it is from but also that the email has not been modified in transit.


There are two types of DKIM keys: TXT and CNAME records. The service that will generate the DKIM keys will specify what type of record the key will be. 


Sample TXT DKIM key 

Record Name: abc._domainkey.yourdomain.com

  • The part in front of ._domainkey is the SELECTOR 

  • After ._domainkey you have the domain or subdomain that owns the record. 

Record Type: TXT

Record Value: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8XzjQk7VuhGE+u6hGVVgJ75C4heUBOVJ/EW+KYjVut36h0NnGWxwLi+G6Twm1jpKnUuyTM4/cvPh1POJt8feYLRkbBRBEsgDgP5gnkNWpK1REp730dDYYEZyF6rwPEAJulx3yEONh81xsi6bWP4RcSl+enVEIKEPK93syZ2ZPrQIDAQAB"


Sample CNAME DKIM key 

Record Name: abc._domainkey.yourdomain.com

  • The part in front of ._domainkey is the SELECTOR 

  • After ._domainkey you have the domain or subdomain that owns the record. 

Record Type: CNAME

Record Value: selector2-yourdomain._domainkey.thirdpartyserver.com 

(The only difference between a CNAME record type DKIM key is the Record value)


The record value of a CNAME type DKIM key will point to a 3rd party server (Microsoft, Google, Mailchimp), which is the one that will respond with a TXT value for the key. 


To add a DKIM key in the Enforce platform, go to the “Domains” page, click on the domain name for which you want to add a DKIM key, and click “Add a DKIM key” in the “DKIM Key” section. 

a screenshot of a computer

  1. Type the Selector name 

  2. If the DKIM key is for a subdomain, associate the key with the subdomain. If the key is for the top-level domain, leave this field untouched 

  3. Associate the DKIM key with the sending service 

  4. Add a comment for the key, to make it easier for you to manage it 

  5. Select the type of DKIM record

  6. Add the value of the key. For TXT keys, this is what comes after ‘p=’, and for CNAME keys add the entire record value 

  7. If this is a newly created DKIM key, check this box. This will allow you to see the age of the key in the ‘DKIM Keys’ section

  8. Check this box only if the TXT record value contains the tag ‘t=s’. This is available only for TXT record keys

  9. When all the fields are completed, click ‘Add’



What are the "Advanced Options"


Advanced Options are only applicable when publishing a TXT key, the CNAME field does not have or need those fields.


  • This is a newly created DKIM key: this option will keep track of how long you have configured this DKIM key to your domain (Keep in mind, it is suggested that you rotate your DKIM keys every 6-9 months).
  • Only allow exact domain signing (t=s): this ensures that the DKIM signature is only valid for emails sent from the exact domain specified in the DKIM record. This helps prevent unauthorized third parties from sending emails with a forged or spoofed sender domain.