DKIM in TXT or CNAME record— which one is better?
A DKIM record stores the public key that is used to verify if an email sent from your domain was tampered with in transit. It can exist in your domain’s DNS as a TXT (Text) or CNAME (Canonical Name) record, enabling a safer email channel. DKIM records are mostly in the TXT format. However, a few providers prefer using CNAME delegation to point your domain to a TXT record hosted on their servers.
Both TXT and CNAME have their own upsides and downsides. This blog discusses both the record types in detail, helping you make the right choice.
DKIM record’s publishing process
A DKIM record is a DNS TXT record and typically consists of several key-value pairs that define how the receiving server should interpret and use the record.
Here is an example of a DKIM record-
selector1._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD..."
A DKIM record usually includes the version tag, selectors, public key, flags, DNS location, and hash algorithm.
Version tag
The DKIM version tag (denoted by v=) specifies the version of the DKIM protocol in use. Its purpose is to instruct the receiving mail servers on how they should interpret the record.
As of now, there is only one version of DKIM, so the value is always v=1.
DKIM selectors
DKIM selectors are used to identify which DKIM public key to use when verifying the DKIM signature of an email. They enable flexibility, key rotation, and multi-provider setup. You can use different selectors, like ‘selector1 ’ and ‘selector2’, to rotate keys without downtime or conflict.
Public key
The public key in the DKIM record allows receiving servers to confirm that the email was genuinely sent by your domain and hasn’t been tampered with. It’s a core part of building trust in your email and preventing spoofing or phishing.
This key is inserted in your domain’s DNS zone as a TXT record. It can also be a CNAME record that will point to the key in your provider’s DNS.
DNS location
The DNS location in a DKIM record indicates to receiving mail servers where to locate the public key required to verify a DKIM-signed email. Without it, verification would fail because there’d be no way for the recipient to check if the email was authentic.
Hash algorithm
The DKIM hash algorithm creates a digital fingerprint of the email’s content and headers. This fingerprint is then encrypted with the sender’s private key to develop a valid DKIM signature. The hash summarizes the email’s content in a fixed-length string. Even a slight change signals email tampering.
An encrypted hash algorithm speeds up the verification process because it eliminates the need to encrypt the entire email.
Understanding the differences between TXT and CNAME records for DKIM
1. DKIM as a TXT record
If you make a TXT-type DKIM record, then your public key is published at the location selector._domainkey.example.com. The emails sent from your domain are signed with the private key, while the receiving server uses the private key stored in the DNS to verify the signature.
Benefits of setting DKIM as a TXT record
- You get better control over your DKIM keys and DNS.
- You don’t have to depend on third-party vendors if you use a DKIM TXT record. This increases the level of privacy and safety for the data holder.
Problems of setting DKIM as a TXT record
- You have to rotate and update the DKIM keys manually. Individuals with limited technical skills may struggle to accomplish this.
- Manual configurations can lead to human errors, impacting email security.
2. DKIM as a CNAME record
This method works a bit differently from the usual one. Instead of adding your DKIM public key directly, you set up a CNAME record at selector._domainkey.example.com that points to your email provider’s DKIM record.
When someone receives your email and their server tries to check the DKIM key, the DNS request gets redirected to your provider’s DNS, where the actual public key (TXT record) is stored.
Benefits of setting DKIM as a CNAME record
- The keys are rotated and updated automatically. You don’t have to do anything.
- This is a simpler method, especially for domain owners who have just begun their DKIM journey.
Problems of setting DKIM as a TXT record
- Since the setup is very easy, the domain owner gets limited control and visibility into the performance, keys, and DNS.
- If you use too many layers of CNAMEs, it can slow things down or even hit DNS limits. Also, some email providers have strict rules about how CNAMEs should be set up—or don’t support them at all. If these rules aren’t followed, your DKIM setup might stop working.
Implementing SPF, DKIM, and DMARC in your domain’s DNS fortifies your email security by authenticating senders, validating message integrity, and enforcing policy against spoofing.
Final takeaway: TXT vs. CNAME for DKIM
If you want full control over your DKIM setup and are comfortable handling DNS records and key rotations, go with a TXT record. It’s ideal for self-hosted email setups or when your provider specifically asks for it.
But if you’re using services like Mailchimp, SES, or SendGrid, and prefer a hands-off, automated setup, CNAME is the easier choice. It lets your provider manage everything behind the scenes.
Just remember — you can’t use both TXT and CNAME for the same DKIM selector. Pick one based on your setup and comfort level.
