DKIM in TXT or CNAME record - which one is better?

Email authentication isn’t just about preventing spoofing - it’s about trust, says Vasile Diaconu, Operations Lead at DuoCircle. Every email your organization sends either builds trust or erodes it. SPF, DKIM, and DMARC are the foundation of that trust. Without them, receivers have no way to distinguish your legitimate email from an attacker’s.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report

DKIM in TXT or CNAME record - which one is better?

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-25691">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/06/DKIM-in-TXT-or-CNAME-record - -which-one-is-better.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M58S">1:58</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-25691" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-25691" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-25691" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-25691" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/dkim-in-txt-or-cname-record-which-one-is-better/&t=DKIM in TXT or CNAME record -  which one is better?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/dkim-in-txt-or-cname-record-which-one-is-better/&url=DKIM in TXT or CNAME record -  which one is better?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/06/DKIM-in-TXT-or-CNAME-record - -which-one-is-better.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/dkim-in-txt-or-cname-record-which-one-is-better/" class="input-link input-link-25691" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-25691" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-25691” readonly/>

					<button class="copy-embed copy-embed-25691" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

A DKIM record stores the public key that is used to verify if an email sent from your domain was tampered with in transit. It can exist in your domain’s DNS as a TXT (Text) or CNAME (Canonical Name) record, enabling a safer email channel. DKIM records are mostly in the TXT format. However, a few providers prefer using CNAME delegation to point your domain to a TXT record hosted on their servers.

Both TXT and CNAME have their own upsides and downsides. This blog discusses both the record types in detail, helping you make the right choice.

DKIM record’s publishing process

A DKIM record is a DNS TXT record and typically consists of several key-value pairs that define how the receiving server should interpret and use the record.

Here is an example of a DKIM record-

_selector1._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD..."_

A DKIM record usually includes the version tag, selectors, public key, flags, DNS location, and hash algorithm.

Version tag

The DKIM version tag (denoted by v=) specifies the version of the **DKIM protocol in use. Its purpose is to instruct the receiving mail servers on how they should interpret the record.

As of now, there is only one version of DKIM, so the value is always v=1.

DKIM selectors

DKIM selectors are used to identify which DKIM public key to use when verifying the DKIM signature of an email. They enable flexibility, key rotation, and multi-provider setup._ You can use different selectors, like ‘selector1 ’ and ‘selector2’, to rotate keys without downtime or conflict_.

Public key

The public key in the DKIM record allows receiving servers to confirm that the email was genuinely sent by your domain and hasn’t been tampered with. It’s a core part of building trust in your email and preventing spoofing or phishing.

This key is inserted in your domain’s DNS zone as a TXT record. It can also be a CNAME record that will point to the key in your provider’s DNS.

DNS location

The DNS location in a DKIM record indicates to receiving mail servers where to locate the public key required to verify a DKIM-signed email. Without it, verification would fail because there’d be no way for the recipient to check if the email was authentic.

Hash algorithm

The DKIM hash algorithm creates a digital fingerprint of the email’s content and headers. This fingerprint is then encrypted with the sender’s private key to develop a valid DKIM signature. The hash summarizes the email’s content in a fixed-length string. Even a slight change signals email tampering.

An encrypted hash algorithm speeds up the **verification process because it eliminates the need to encrypt the entire email.

What Is differences between TXT and CNAME records for DKIM?

1. DKIM as a TXT record

If you make a TXT-type DKIM record, then your public key is published at the location selector.domainkey.example.com. The emails sent from your domain are signed with the private key, while the receiving server uses the private key stored in the DNS to verify the signature.

Benefits of setting DKIM as a TXT record

• You get better control over your DKIM keys and DNS.

• You don’t have to depend on third-party vendors if you use a DKIM TXT record. This increases the level of privacy and safety for the data holder.

Problems of setting DKIM as a TXT record

• You have to rotate and update the DKIM keys manually. Individuals with limited technical skills may struggle to accomplish this.

• Manual configurations can lead to human errors, impacting email security.

2. DKIM as a CNAME record

This method works a bit differently from the usual one. Instead of adding your DKIM public key directly, you set up a CNAME record at selector.__domainkey.example.com that points to your email provider’s DKIM record.

When someone receives your email and their server tries to check the DKIM key, the DNS request gets redirected to your provider’s DNS, where the actual public key (TXT record) is stored.

Benefits of setting DKIM as a CNAME record

• The keys are rotated and updated automatically. You don’t have to do anything.

• This is a simpler method, especially for domain owners who have just begun their DKIM journey.

Problems of setting DKIM as a TXT record

• Since the setup is very easy, the domain owner gets limited **control and visibility into the performance, keys, and DNS.

• If you use too many layers of CNAMEs, it can slow things down or even hit DNS limits. Also, some email providers have strict rules about how CNAMEs should be set up - or don’t support them at all. If these rules aren’t followed, your DKIM setup might stop working.

Implementing SPF, DKIM, and DMARC in your domain’s DNS fortifies your email security by authenticating senders, validating message integrity, and enforcing policy against spoofing.

Final takeaway: TXT vs. CNAME for DKIM

If you want full control over your DKIM setup and are comfortable handling DNS records and key rotations, go with a TXT record. It’s ideal for self-hosted email setups or when your provider specifically asks for it.

But if you’re using services like Mailchimp, SES, or SendGrid, and prefer a hands-off, automated setup, CNAME is the easier choice. It lets your provider manage everything behind the scenes.

Just remember - you can’t use both **TXT and CNAME for the same DKIM selector. Pick one based on your setup and comfort level.