Last updated: July 2026

In short: After this guide your domain publishes a valid DKIM public key in Route 53 — either as the CNAME records your mail provider hands you, or as a TXT record for your own mail server.

Prerequisites

  • A public hosted zone in Amazon Route 53
  • A mail service that signs your outgoing mail (Amazon SES, Google Workspace, Microsoft 365, or your own mail server)

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email. Receiving servers use it to check whether a mail really comes from your domain and wasn’t altered in transit. DKIM works with a key pair: the private key sits on the mail server and signs; the public key is in DNS and serves the recipient for verification.

For context: while SPF authorizes the server, DKIM secures the message. Only with DMARC does it become an enforceable foundation.

The starting point at Route 53

Route 53 is DNS only — it never generates a key pair. The keys come from your mail service; Route 53 just publishes the public half. Two shapes are common:

A) CNAME delegation (Amazon SES Easy DKIM, Microsoft 365). The provider hosts the key and gives you a handful of CNAME records (for SES Easy DKIM, three of them) that point into the provider’s domain. You recreate them in Route 53. The advantage: the provider can rotate keys without you touching DNS again.

B) Own TXT public key (your own mail server, Google Workspace). Your mail server (e.g. OpenDKIM, or Google Workspace which shows you a TXT value) generates the key pair. You publish the public key as a TXT record at selector._domainkey.

Step-by-step guide

A) CNAME delegation (e.g. Amazon SES)

1. Get the CNAME targets. In your mail provider’s console, enable DKIM and copy the CNAME host/target pairs it shows.

2. Create each CNAME in Route 53. Open your hosted zone and choose Create record for every pair:

FieldValue
Record name<token>._domainkey (as shown by the provider)
Record typeCNAME
Valuethe target hostname the provider gave you

Mind one AWS rule: “if you create a CNAME record for a subdomain, you cannot create any other records for that subdomain” — and CNAMEs are not allowed at the zone apex (“The DNS protocol does not allow you to create a CNAME record for the top node of a DNS namespace, also known as the zone apex.”). Neither is a problem for DKIM, since the selector host (<token>._domainkey) is always a dedicated subdomain.

B) Own TXT public key

1. Generate the key on the mail server. Your mail server produces a selector and key pair. You get a public key in the format v=DKIM1; k=rsa; p=....

2. Create the TXT record in Route 53:

FieldValue
Record name<selector>._domainkey (e.g. dkim._domainkey)
Record typeTXT
Value"v=DKIM1; k=rsa; p=<your-public-key>"

As with the SPF record, the Route 53 rule applies: the TXT value goes in double quotes (“A TXT record contains one or more strings that are enclosed in double quotation marks”). A DKIM key easily exceeds a single string’s 255-character limit — Route 53 lets you split it: “A single string can include up to 255 characters”, so break a long key into several quoted strings on the same line ("v=DKIM1; k=rsa; " "p=MIIBI..."). The overall value can be up to 4,000 characters.

Wait until the change is live

Per the AWS docs, “Changes generally propagate to all Route 53 name servers within 60 seconds” — downstream caches follow once the TTL expires.

Verify the result

The DNS record alone isn’t enough — the mail server must actually sign with the private key. Check the interplay with the free MXAudit scanner — it shows DKIM, SPF, and DMARC at a glance.

Common mistakes

Split key entered wrong. A long RSA key must be broken into quoted strings of ≤255 characters on one line — not pasted as one 300-character string.

Forgot the quotation marks. In the Route 53 Value box the TXT value goes in double quotes.

Selector doesn’t match. The name in DNS (selector._domainkey) must exactly match the selector the mail server signs with.

Extra records under a CNAME host. If you used CNAME delegation, you can’t add other records under that same subdomain — Route 53 (and DNS itself) forbids it.

DNS set, but no signature. DKIM needs both halves: the public key in DNS and active signing on the mail server. Check both.

Further reading