Last updated: July 2026
In short: After this guide your domain publishes a valid DKIM public key — automatically generated with konsoleH, provided by you with your own mail server.
Prerequisites
- A Hetzner web hosting package (konsoleH) or a DNS zone at Hetzner plus your own mail server
- Access to the relevant DNS management
What is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email. Receiving servers use it to check whether a mail really comes from your domain and wasn’t altered in transit. DKIM works with a key pair: the private key sits on the mail server and signs; the public key is in DNS and serves the recipient for verification.
For context: while SPF authorizes the server, DKIM secures the message. Only with DMARC does it become an enforceable foundation.
The starting point at Hetzner
Two scenarios, depending on who sends your mail:
A) konsoleH web hosting (Hetzner is your mail server). The Enable DKIM function automatically generates a key pair. If you use the konsoleH nameservers, the system sets the necessary DNS record right away — if you use external nameservers, konsoleH shows you the TXT record to enter manually.
B) Your own mail server behind Hetzner DNS. Your mail server (e.g. Mailcow, OpenDKIM) generates the key pair. You enter the public key as a TXT record in your Hetzner DNS zone.
Step-by-step guide
A) konsoleH web hosting
1. Activate DKIM. In the konsoleH mail security settings of your domain, switch on the Enable DKIM function. This automatically generates a key pair.
2. Set the DNS record.
- With konsoleH nameservers: the system creates the DKIM DNS record automatically — you’re done.
- With external nameservers: konsoleH shows you a TXT record. Enter it at your DNS provider exactly as shown (hostname
selector._domainkey, valuev=DKIM1; ...).
3. Optional: your own key pair. You can also use your own key pair. Important: the private key must not be password-protected, otherwise the mail server can’t sign with it.
B) Your own mail server behind Hetzner DNS
1. Generate the key on the mail server. Your mail server generates the selector and key pair (with Mailcow, e.g. in the UI). You get a public key in the format v=DKIM1; k=rsa; p=....
2. Create the TXT record in the Hetzner Console:
| Field | Value |
|---|---|
| Type | TXT |
| Name | <selector>._domainkey (e.g. dkim._domainkey) |
| Value | "v=DKIM1; k=rsa; p=<your-public-key>" |
As with the SPF record, the Hetzner quirk applies: the TXT value must be in quotation marks.
Wait until the change is live
DNS changes take time: depending on TTL and caching it can take a few hours until every server sees the new entry.
Verify the result
The DNS record alone isn’t enough — the mail server must actually sign with the private key. Check the interplay with the free MXAudit scanner — it shows DKIM, SPF, and DMARC at a glance.
Common mistakes
Private key password-protected. If you use your own key pair, the private key must not have a password — otherwise the mail server can’t sign.
Forgot the quotation marks. In the Hetzner Console the TXT value goes in quotation marks. Without them the long DKIM string isn’t stored correctly.
Selector doesn’t match. The name in DNS (selector._domainkey) must exactly match the selector the mail server signs with.
DNS set, but no signature. DKIM needs both halves: the public key in DNS and active signing on the mail server. Check both.
Further reading
- Hetzner Docs: Email security with DKIM, SPF, and DMARC (konsoleH) (retrieved: July 10, 2026)
- RFC 6376 — DomainKeys Identified Mail (DKIM)
