Last updated: July 2026
In short: After this guide your domain publishes a valid DKIM public key in the Cloudflare DNS zone — generated by Cloudflare Email Service, or provided by your own mail server.
Prerequisites
- A domain whose DNS is managed at Cloudflare (DNS > Records)
- A mail setup that signs with DKIM: Cloudflare Email Routing/Sending, or your own mail server
What is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email. In Cloudflare’s words, “DKIM ensures that emails have not been tampered during transit by cryptographically signing them” with your domain’s private key. DKIM works with a key pair: the private key sits on the mail server and signs; the public key is in DNS — “Public key is published in DNS” — and serves the recipient for verification.
For context: while SPF authorizes the server, DKIM secures the message. Only with DMARC does it become an enforceable foundation.
The starting point at Cloudflare
Two scenarios, depending on who sends your mail:
A) Cloudflare Email Service (Routing or Sending). “Cloudflare automatically generates and manages DKIM keys. You add the provided DNS records from the dashboard.” Email Service “uses separate DKIM selectors for sending and routing”:
- Email Sending:
cf-bounce._domainkey.yourdomain.com - Email Routing:
cf2024-1._domainkey.yourdomain.com
B) Your own mail server behind Cloudflare DNS. Your mail server (e.g. Mailcow, OpenDKIM) generates the selector and key pair. You publish the public key as a TXT record in your Cloudflare DNS zone.
Step-by-step guide
A) Cloudflare Email Service
1. Find the record. In the dashboard, go to Compute > Email Service, select your domain, and “Check the Settings page for the appropriate service” — Email Sending shows the cf-bounce._domainkey record, Email Routing the cf2024-1._domainkey record.
2. Add the record. “Go to DNS > Records and add the DKIM TXT record with the correct selector name and public key.” A verified DKIM record looks like this (from Cloudflare’s dig example):
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
B) Your own mail server behind Cloudflare DNS
1. Generate the key on the mail server. Your mail server generates the selector and key pair (with Mailcow, e.g. in the UI). You get a public key of the form v=DKIM1; k=rsa; p=<your-public-key>.
2. Create the TXT record in the Cloudflare dashboard. Go to DNS > Records, select Add record:
| Field | Value |
|---|---|
| Type | TXT |
| Name | <selector>._domainkey (e.g. dkim._domainkey) |
| Content | v=DKIM1; k=rsa; p=<your-public-key> |
| TTL | Auto |
Cloudflare uses a plain Content field — no quotation marks. And “Ensure there are no extra spaces or characters in the DNS record”, or the long key won’t validate.
Wait until the change is live
DNS changes take time: depending on TTL and caching it can take a while until every server sees the new entry.
Verify the result
The DNS record alone isn’t enough — the mail server must actually sign with the private key. Check the interplay with the free MXAudit scanner — it shows DKIM, SPF, and DMARC at a glance.
Or directly:
dig TXT dkim._domainkey.example.com +short
Common mistakes
Extra spaces or characters. Cloudflare warns to ensure there are no extra spaces or characters in the DNS record — a broken key silently fails verification.
Selector doesn’t match. The name in DNS (selector._domainkey) must exactly match the selector the mail server signs with. With Email Service, use exactly cf-bounce._domainkey or cf2024-1._domainkey.
DNS set, but no signature. DKIM needs both halves: the public key in DNS and active signing on the mail server. Check both.
Further reading
- Cloudflare Docs: Email authentication (SPF, DKIM, DMARC) (retrieved: July 10, 2026)
- Cloudflare Docs: Email Service troubleshooting (retrieved: July 10, 2026)
- RFC 6376 — DomainKeys Identified Mail (DKIM)
