---
title: "DKIM in TXT or CNAME record - which one is better? | DMARC Report"
description: "DKIM in TXT or CNAME record - which one is better? from DMARC Report explains practical steps for email authentication, domain protection, deliverability."
image: "https://dmarcreport.com/og/blog/dkim-in-txt-or-cname-record-which-one-is-better.png"
canonical: "https://dmarcreport.com/blog/dkim-in-txt-or-cname-record-which-one-is-better/"
---
Quick Answer
DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report DKIM in TXT or CNAME record - which one is better?
Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/)
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdkim-in-txt-or-cname-record-which-one-is-better%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=DKIM%20in%20TXT%20or%20CNAME%20record%20-%20%20which%20one%20is%20better%3F&url=undefined%2Fblog%2Fdkim-in-txt-or-cname-record-which-one-is-better%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdkim-in-txt-or-cname-record-which-one-is-better%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdkim-in-txt-or-cname-record-which-one-is-better%2F&title=DKIM%20in%20TXT%20or%20CNAME%20record%20-%20%20which%20one%20is%20better%3F "Share on Reddit") [ ](mailto:?subject=DKIM%20in%20TXT%20or%20CNAME%20record%20-%20%20which%20one%20is%20better%3F&body=Check out this article: undefined%2Fblog%2Fdkim-in-txt-or-cname-record-which-one-is-better%2F "Share via Email")
## Try Our Free DKIM Lookup
Auto-discover DKIM selectors for any domain - scan 185 common selectors across all major providers.
[ Discover DKIM Selectors → ](/tools/dkim-lookup/)
> Email authentication isn’t just about preventing spoofing - it’s about trust, says Vasile Diaconu, Operations Lead at DuoCircle. Every email your organization sends either builds trust or erodes it. SPF, DKIM, and DMARC are the foundation of that trust. Without them, receivers have no way to distinguish your legitimate email from an attacker’s.
DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report
DKIM in TXT or CNAME record - which one is better?
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-25691” readonly/>
```
```
A DKIM record stores the [public key](https://www.techtarget.com/searchsecurity/definition/public-key) that is used to verify if an email sent from your domain was tampered with in transit. It can exist in your domain’s DNS as a TXT (Text) or CNAME (Canonical Name) record, enabling a **safer email channel**. DKIM records are mostly in the TXT format. However, a few providers prefer using CNAME delegation to point your domain to a TXT record hosted on their servers.
Both TXT and CNAME have their **own upsides and downsides**. This blog discusses both the record types in detail, helping you make the right choice.
## DKIM record’s publishing process
A DKIM record is a [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) and typically consists of several key-value pairs that define how the receiving server should interpret and use the record.
Here is an example of a DKIM record-
`_selector1._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD..."_`
A DKIM record usually includes the version tag, selectors, public key, flags, DNS location, and hash algorithm.
## Version tag
The DKIM version tag (denoted by v=) specifies the version of the \*\*DKIM protocol in use. Its purpose is to instruct the receiving [mail servers](https://www.activecampaign.com/glossary/mail-server) on how they should interpret the record.
As of now, there is only one version of DKIM, so the value is always v=1.
## DKIM selectors
DKIM selectors are used to identify which DKIM public key to use when verifying the [DKIM signature](https://docs.mapp.com/docs/dkim-signature) of an email. They enable flexibility, key rotation, and **multi-provider setup**.\_ You can use different selectors, like ‘selector1 ’ and ‘selector2’, to rotate keys without downtime or conflict\_.
## Public key
The public key in the DKIM record allows receiving servers to confirm that the email was genuinely sent by your domain and hasn’t been tampered with. It’s a core part of building trust in your email and preventing [spoofing or phishing](https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html).
This key is inserted in your domain’s [DNS zone](https://www.ibm.com/think/topics/dns-zone) as a TXT record. It can also be a CNAME record that will point to the key in your **provider’s DNS**.
## DNS location
_The DNS location in a DKIM record indicates to receiving mail servers where to locate the public key required to verify a DKIM-signed email_. Without it, verification would fail because there’d be no way for the recipient to check if the email was authentic.
## Hash algorithm
The DKIM hash algorithm creates a digital fingerprint of the **email’s content and headers**. This fingerprint is then encrypted with the sender’s [privat](https://www.investopedia.com/terms/p/private-key.asp)[e](https://www.investopedia.com/terms/p/private-key.asp)[ key](https://www.investopedia.com/terms/p/private-key.asp) to develop a valid DKIM signature. The hash summarizes the email’s content in a fixed-length string. Even a slight change signals email tampering.
An encrypted [hash algorithm](https://www.geeksforgeeks.org/how-hashing-algorithm-used-in-cryptography/) speeds up the \*\*verification process because it eliminates the need to encrypt the entire email.
## What Is differences between TXT and CNAME records for DKIM?
## 1\. DKIM as a TXT record
If you make a TXT-type DKIM record, then your public key is published at the location selector.domainkey[.example.com](http://.example.com). The emails sent from your domain are signed with the private key, while the receiving server uses the private key stored in the **DNS to verify the signature**.
## Benefits of setting DKIM as a TXT record
- You get better control over your DKIM keys and DNS.
- You don’t have to depend on [third-party vendors](https://www.upguard.com/blog/third-party-vendor) if you use a DKIM TXT record. This increases the level of privacy and **safety for the data holder**.
## Problems of setting DKIM as a TXT record
- You have to rotate and update the DKIM keys manually. _Individuals with limited technical skills may struggle to accomplish this_.
- Manual configurations can lead to human errors, impacting [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/).
## 2\. DKIM as a CNAME record
This method works a bit differently from the usual one. Instead of adding your DKIM public key directly, you set up a [CNAME record](https://support.dnsimple.com/articles/cname-record/) at selector.\_\_domainkey.example.com that points to your email provider’s DKIM record.
_When someone receives your email and their server tries to check the DKIM key, the DNS request gets redirected to your provider’s DNS, where the actual public key (TXT record) is stored_.
## Benefits of setting DKIM as a CNAME record
- The **keys are rotated and updated automatically**. You don’t have to do anything.
- This is a simpler method, especially for domain owners who have just begun their DKIM journey.
## Problems of setting DKIM as a TXT record
- Since the setup is very easy, the domain owner gets limited \*\*control and visibility into the performance, keys, and DNS.
- If you use too **many layers of CNAMEs**, it can slow things down or even **hit DNS limits**. Also, some email providers have strict rules about how CNAMEs should be set up - or don’t support them at all. If these rules aren’t followed, your [DKIM](https://dmarcreport.com/what-is-dkim/) setup might stop working.
Implementing [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/), DKIM, and [DMARC](https://dmarcreport.com/) in your domain’s DNS fortifies your email security by authenticating senders, **validating message integrity**, and enforcing policy against spoofing.
## Final takeaway: TXT vs. CNAME for DKIM
If you want full control over your DKIM setup and are comfortable handling DNS records and **key rotations**, go with a TXT record. It’s ideal for [self-hosted email](https://develop.sentry.dev/self-hosted/email/) setups or when your provider specifically asks for it.
_But if you’re using services like Mailchimp, SES, or SendGrid, and prefer a hands-off, automated setup, CNAME is the easier choice. It lets your provider manage everything behind the scenes_.
Just remember - you can’t use both \*\*TXT and CNAME for the same [DKIM selector](https://dmarcreport.com/blog/what-is-the-difference-between-dkim-selector-and-domain-checking-dkim/). Pick one based on your setup and comfort level.
## Topics
[ dkim ](/tags/dkim/)[ dkim selector ](/tags/dkim-selector/)[ DMARC ](/tags/dmarc/)[ dns record ](/tags/dns-record/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)
[ Brad Slavin ](/authors/brad-slavin/)
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Foundational 10m Best Tools For Generating DMARC Records For Small Businesses With Minimal It Staff? Nov 28, 2025 ](/blog/best-tools-for-generating-dmarc-records-for-small-businesses-without-it-staff/)[ Foundational 15m DKIM TXT Records: How to Properly Configure Your Email Authentication Apr 16, 2025 ](/blog/dkim-txt-records-how-to-properly-configure-your-email-authentication/)[ Foundational 10m How To Use Mxtoolbox Dmarc Analyzer For Effective Email Security Sep 24, 2025 ](/blog/how-to-use-mxtoolbox-dmarc-analyzer-for-effective-email-security/)[ Foundational 6m What is a DKIM record? A complete guide to setup, mistakes, and DMARC alignment Aug 13, 2025 ](/blog/what-is-dkim-record-guide-setup-mistakes-and-dmarc-alignment/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"DKIM in TXT or CNAME record - which one is better?","description":"DKIM in TXT or CNAME record - which one is better? from DMARC Report explains practical steps for email authentication, domain protection, deliverability.","url":"https://dmarcreport.com/blog/dkim-in-txt-or-cname-record-which-one-is-better/","datePublished":"2025-06-04T07:59:10.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2025-06-04T07:59:10.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/dkim-in-txt-or-cname-record-which-one-is-better/"},"articleSection":"foundational","keywords":"dkim, dkim selector, DMARC, dns record, email security, SPF","wordCount":1354,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"DKIM in TXT or CNAME record - which one is better?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"DKIM in TXT or CNAME record - which one is better?","item":"https://dmarcreport.com/blog/dkim-in-txt-or-cname-record-which-one-is-better/"}]}
```