Last updated: July 2026

In short: After this guide your domain publishes a correct DKIM key in the KAS, so receiving servers can verify the signature of your mail.

Prerequisites

  • An All-Inkl package with access to the KAS (technical administration)
  • The public DKIM key of your sending mail server (for external sending, the provider supplies it)

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email. The receiving server queries the DKIM key stored in the domain’s nameserver and uses it to verify the signature. All-Inkl explicitly points out in its own docs: DKIM only ensures the mail arrives unaltered — it explicitly makes no statement about spam. That’s exactly why you additionally need SPF and DMARC.

The starting point at All-Inkl

Two paths, depending on who sends your mail:

  • Sending via the All-Inkl mail servers: you activate DKIM signing in the KAS settings of your domain or mailbox — All-Inkl then creates the matching DNS entry itself. (Check in the KAS under your domain/mailbox whether the DKIM option is active.)
  • Sending via an external mail server (your own server, newsletter service): you enter the public key supplied by the provider yourself as a TXT (DKIM) record in the KAS. The following guide describes this path — it’s the DNS route officially documented by All-Inkl.

Step-by-step guide (external mail server)

1. Open the DNS settings in the KAS

Log into the KAS (technical administration) and click ToolsDNS settings. Edit the domain and click create new DNS entry.

2. Enter the DKIM record

Fill in the form like this:

FieldValue
Nameyour selector + ._domainkey, e.g. mail._domainkey
TypeTXT
Datav=DKIM1; k=rsa; p=<your-public-key-from-the-mail-server>

The selector name (here mail) is dictated by your mail server or sending service — it must match exactly, because the receiving server looks up precisely selector._domainkey.your-domain. There is no PRIO for DKIM.

On the syntax: v=DKIM1 is the version and must — if specified — come first. p contains the public key. k=rsa gives the key type (at All-Inkl currently only rsa).

3. Mind the character limit

The DATA field holds up to 512 characters — that allows keys up to 2048 bits. So a 2048-bit RSA key just fits; larger keys (4096 bit) would blow the limit. When in doubt, use a 2048-bit key.

4. Save and check

After saving, the entry appears in the table. DNS changes at All-Inkl can take up to 24 hours until they’re visible everywhere.

Verify the result

The DNS record alone isn’t enough — your mail server must actually sign the outgoing mail with the matching private key. Check the interplay with the free MXAudit scanner: it shows whether the signature works and the selector resolves in DNS — together with SPF and DMARC.

Common mistakes

Selector doesn’t match. The name in DNS (selector._domainkey) must exactly match the selector your mail server signs with. One typo and the signature can’t be found.

Key too large for the field. The DATA field won’t take more than 512 characters — a 4096-bit key doesn’t fit. Choose 2048 bits.

DNS set, but the server doesn’t sign. DKIM consists of two halves: the public key in DNS and signing by the mail server with the private key. Without the second, the nicest TXT record does nothing.

Spaces around the =. In v=DKIM1 and p=... there’s no space around the equals sign — parameter and value right against each other, separated by a semicolon.

Further reading