Last updated: July 2026

In short: After this guide your Mailcow generates a DKIM key pair and you publish the public part as a TXT record, so receiving servers can verify your signatures.

Prerequisites

  • A running Mailcow server with access to the admin UI
  • Access to your domain(s)’ DNS management

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email. The private key signs on the mail server, the public one is in DNS and serves the recipient for verification. When self-hosting you have both sides in hand — Mailcow generates the key pair, you publish the public part.

For context: while SPF authorizes the server, DKIM secures the message. The Mailcow docs explicitly recommend DKIM in addition to SPF and DMARC.

The starting point at Mailcow

Mailcow brings DKIM management with it directly: you generate the key in the mailcow UI and enter the resulting TXT record in your DNS. The docs are unambiguous here: “create a DKIM TXT record in your mailcow UI and set the corresponding TXT record in your DNS records.”

The default selector is dkim, so the DNS host is dkim._domainkey.

Step-by-step guide

1. Generate the DKIM key in the mailcow UI

Log into the mailcow admin UI and open Configuration → Options → ARC/DKIM keys (menu label depends on the version). Choose the domain, a selector (default: dkim), and a key length (2048 bit recommended), and generate the key. Mailcow then shows you the public key as a finished DNS TXT value.

2. Create the TXT record in DNS

Enter the value shown by Mailcow at your DNS provider:

dkim._domainkey  IN TXT  "v=DKIM1; k=rsa; t=s; s=email; p=..."

The p= part is the long public key from the mailcow UI. Where exactly you create the record depends on the DNS provider — e.g. Hetzner DNS (don’t forget the quotation marks) or Netcup.

3. Each domain individually

As with the SPF setup: every domain managed in Mailcow needs its own DKIM key and TXT record. Generate a key per domain in the UI and publish it separately.

4. Wait until the change is live

DNS changes take time — a few hours depending on TTL and caching until every server sees the entry.

Verify the result

DKIM only works once the DNS record and the signing in Mailcow fit together. Check that with the free MXAudit scanner — it shows DKIM, SPF, and DMARC at a glance.

Common mistakes

Key generated, but TXT not set (or vice versa). Both halves must fit together: the key in the mailcow UI and the dkim._domainkey TXT in DNS. If one is missing, verification fails.

Key regenerated after the DNS entry. If you generate a new key in the UI, the public part changes — the old TXT record then no longer fits. Update the DNS record after every regeneration.

Selector mismatch. The DNS host (dkim._domainkey) must match the selector chosen in Mailcow. If you deviate from the default dkim, the DNS entry has to follow.

Forgot additional domains. Every domain needs its own DKIM key and record — a forgotten second domain sends unsigned.

Further reading