DKIM

How to Add a DKIM Record to Cloudflare — A Complete Guide by DMARCReport

ByBrad Slavin

In today’s digital world, email continues to be one of the most essential forms of communication for businesses. From customer support to marketing campaigns and internal workflow, email delivers critical messages every second. But as the volume of email grows, so do threats like phishing, spoofing, and spam.

That’s where proper email authentication steps in — and DKIM (DomainKeys Identified Mail) is one of the foundational pillars of that protection framework. Together with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance), DKIM helps ensure that your domain’s emails are cryptographically verified and trusted by receiving servers.

In this comprehensive guide, DMARCReport will walk you step-by-step through how to add a DKIM record to Cloudflare, why it matters, and how you can avoid common pitfalls along the way.

What Is DKIM and Why It Matters

Before diving into Cloudflare configuration, let’s clarify what DKIM actually is.

DKIM (DomainKeys Identified Mail) is an email authentication method that uses public key cryptography to verify that emails claiming to be from your domain were both (a) sent from an authorized server and (b) not altered in transit. The email provider generates a unique cryptographic key pair:

  • A private key that signs outgoing emails.
  • A public key stored as a DNS record.

When an email arrives at its destination, the receiving server retrieves the public key from the DKIM DNS record and verifies the digital signature embedded in your message. If the keys match, the email is authenticated — increasing your domain’s trustworthiness with inbox providers like Gmail, Yahoo, and Outlook.

Cloudflare

Why Use Cloudflare for Your DKIM Records

Cloudflare is a widely adopted DNS and performance provider that sits between your domain and the wider internet. In addition to CDN and security features, Cloudflare allows you to manage DNS records for your domain, including DKIM entries.

Using Cloudflare for your DKIM setup ensures:

  • High reliability and uptime for DNS lookups.
  • Built-in performance optimizations.
  • Centralized management alongside other authentication records like SPF and DMARC.

Step-by-Step: Adding a DKIM Record to Cloudflare

Here’s how to properly create and publish a DKIM record in Cloudflare.

1. Generate or Retrieve Your DKIM Public Key

DKIM keys aren’t random — they’re unique to your mail sending setup. Depending on your email provider (Google Workspace, Microsoft 365, Zoho, Brevo, etc.), you’ll first generate a DKIM key pair:

  • Log in to your mail service provider’s admin portal.
  • Locate the DKIM section (typically under Security or Email Authentication).
  • Generate a new DKIM public/private key pair.
  • Copy the public key that will be published as DNS.

Most providers will also generate a suggested DNS record format for you, including the selector (the prefix used in DKIM DNS names).

Note: Cloudflare doesn’t generate DKIM keys itself — you must use your mail provider’s instructions.

2. Log In to Your Cloudflare Dashboard

Once you have your DKIM public key ready:

  1. Go to your Cloudflare account dashboard.
  2. Select the domain where you want to add the DKIM record.
  3. Click on DNS to open the DNS management section.

    This is where all your domain’s DNS records are stored.

    DNS Record

    3. Add a New DNS Record

    Within the Cloudflare DNS editor:

    • Click Add record.
    • For Type, choose TXT (because DKIM records are stored as TXT entries).
    • In the Name or Host field, insert your DKIM selector followed by ._domainkey.
      For example:

    selector1._domainkey

    Here, selector1 is the value provided by your mail service.

    • In the Content or TXT Value field, paste the public key. A typical DKIM TXT value might look like:
      v=DKIM1; k=rsa; p=MIGfMA0G…
    • Leave TTL (time to live) at its default setting unless you have a specific requirement.

    This entry enables receiving mail servers to lookup your public key. 

    4. Save the Record

    Once everything is filled in, click Save to publish the record. Cloudflare propagates DNS changes quickly, though full global propagation may take up to a few hours.

    Common Mistakes and How to Avoid Them

    Cloudflare Proxy (Orange Cloud) Issue

    Cloudflare’s DNS editor includes an “orange cloud” toggle that enables proxying. For DKIM records:

    Disable proxying (switch to “DNS Only”).
     Proxying interferes with DKIM validation since receiving servers won’t be able to retrieve your DKIM record directly.

    Using the Wrong Record Type

    DKIM records must be TXT records unless your provider specifically instructs CNAME usage (rare). Creating an incorrect record type will lead to failed DKIM verification.

    If your provider gives you CNAME DKIM records, add them exactly as they specify — but again, make sure they resolve correctly and are DNS Only.

    Incorrect Selector Formatting

    Remember, DKIM record names require both the selector and the ._domainkey suffix. If your selector is mail, the record name must be:

    mail._domainkey

    Missing this suffix will cause lookup failures, resulting in failed authentication.

    Verify Your DKIM Setup

    How to Verify Your DKIM Setup

    After publishing the DKIM record in Cloudflare:

    1. Use a DKIM lookup tool (such as the one provided by DMARCReport) to confirm the record exists.
    2. Send a test email to a service like mail-tester.com to check the DKIM signature.
    3. Verify that the selector and public key are correctly parsed.

    If the DKIM record isn’t found or validation fails, double check:

    • DNS propagation status.
    • Selector and syntax.
    • Proxy settings.

    Why DKIM Alone Isn’t Enough

    While DKIM significantly improves email authentication, it doesn’t protect your domain in isolation. To maximize your email security posture:

    • SPF ensures only authorized sending IP addresses are permitted.
    • DMARC defines how receiving servers should handle emails that fail authentication.

    Once DKIM and SPF are in place in Cloudflare, you can add a DMARC record — which tells mail servers whether to accept, quarantine, or reject messages that fail checks.

    For DMARC record setup instructions, tools like DMARCReport provide step-by-step wizards and monitoring dashboards to help you maintain compliance.

    DMARC Report

    How DMARCReport Can Help You

    At DMARCReport, we specialize in helping organizations implement and monitor email authentication protocols like SPF, DKIM, and DMARC. Here’s how we can make your life easier:

    • We detect missing or misconfigured records.
    • Provide intuitive dashboards of your authentication performance.
      Automatically process DKIM/DMARC reports from mail receivers.
    • Help you troubleshoot common DNS record issues.

    With comprehensive tools and expert support, you’re not just publishing DNS entries — you’re safeguarding your email identity.

    Final Thoughts

    Adding DKIM records to Cloudflare is a powerful step toward improving your email security and deliverability. It protects your brand reputation and ensures your emails aren’t misused or flagged as spam.

    Here’s a quick recap of what we covered:

    • What DKIM is and why it matters.
    • How to generate your DKIM key.
    • How to publish a DKIM TXT record in Cloudflare.
    • Common pitfalls and best practice fixes.
    • How to verify your setup.

    With DKIM properly configured and combined with SPF and DMARC, your domain will be better equipped to fight phishing, spoofing, and unauthorized email abuse — two of today’s most pressing email security challenges.

    Similar Posts

    Japan’s Cybersecurity Crisis, Airports Face Ransomware, Pennsylvania Revenue Alert

    Japan’s Cybersecurity Crisis, Airports Face Ransomware, Pennsylvania Revenue Alert

    ByBrad Slavin

    It’s the last week of September, and the world is already grappling with multiple cyberattack incidents. We are here to guide you through these challenging times, enabling you to navigate threat incidents conveniently without compromising your peace of mind or sensitive data. This week, our focus will be on Japan’s cybersecurity crisis. Next, we will…

    Ensuring Easy and Secure Authentication: A Guide

    Ensuring Easy and Secure Authentication: A Guide

    ByBrad Slavin

    News Flash! Implementing an iron-clad authentication for every login and online transaction is no longer a “good-to-have” aspect of your online existence. Thanks to the latest crackdown on loose security practices by tech giants, your authentication game cannot be like perfunctory frisking. After all, would you ever let a stranger enter your home if they…

    Reading DMARC reports: Common mistakes to avoid at all costs

    Reading DMARC reports: Common mistakes to avoid at all costs

    ByBrad Slavin

    Your email authentication setup is only as strong as your understanding of what’s happening behind the scenes. Once you have implemented the authentication protocols, including SPF, DKIM, and DMARC, your work does not stop there. In fact, that’s just the start. In the same vein, when you implement DMARC, it’s not a ‘set it and…

    5 key contributors to DMARC’s development

    5 key contributors to DMARC’s development

    ByBrad Slavin

    DMARC was introduced as a critical email authentication protocol in 2012. Its creation was no accident—it was a cohesion of effort by industry visionaries determined to fight phishing and spoofing attacks. This collaboration laid the foundation for a safer email ecosystem, curtailing the growing threats to digital communication.  The specification was published as an Internet…

    DKIM Best Practices: Essential Guidelines for Email Authentication

    DKIM Best Practices: Essential Guidelines for Email Authentication

    ByBrad Slavin

    DKIM Overview DKIM, or DomainKeys Identified Mail, is a powerful email authentication method that plays a pivotal role in enhancing the security of your email communications. Imagine it as a guardian standing watch over your email, ensuring that not only do the emails you receive originate from legitimate sources, but they also remain intact and…