Last updated: July 2026

In short: At united-domains, DKIM is automatically active for every email domain with a mailbox. This guide shows when that applies, when it doesn’t — and what you have to do in the exceptions.

Prerequisites

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email, which the recipient checks via a key published in DNS. An important distinction, as united-domains puts it itself: DKIM does not encrypt the content — it only checks authenticity and integrity. And: “SPF checks the sender’s IP address, while DKIM checks the authenticity of the email content and header.”

Only SPF, DKIM, and DMARC together make a solid foundation.

The starting point at united-domains — the good news

united-domains makes it the easiest of all: DKIM is permanently enabled for every email domain whose email package uses at least one mailbox. You don’t have to set anything up, don’t have to enter anything — it just runs.

There is exactly one important exception: DKIM is not enabled if you use your own, i.e. external, nameservers for your email domain. Then DNS authority is with you — and so is the obligation to publish the DKIM key yourself.

Step-by-step guide

1. Check whether DKIM is active

With a normal united-domains mailbox setup, DKIM is already on. Check it to be safe with the free MXAudit scanner — it recognizes the signature and shows it together with SPF and DMARC.

2. The normal case: do nothing

If you use a united-domains email package with a mailbox and the united-domains nameservers, DKIM is permanently enabled. You’re done. You’ll find the status in the domain management: click the email symbol next to the domain, then under Email click Email security.

3. Exception A: external nameservers

If you run your own nameservers for the domain, the automatic DKIM activation doesn’t apply. Then you have to publish your mail system’s DKIM key yourself as a TXT or CNAME record in your external zone — as described in our guides for Hetzner DNS or Mailcow.

4. Exception B: sending via an external service

If you send via an ESP or Microsoft 365 instead of the united-domains mailboxes, the automatic signing doesn’t apply to those mails. The external service gives you a selector and key; you enter them in your domain’s DNS management (for Microsoft 365, e.g. the two CNAME selectors).

Verify the result

Check your configuration with the free MXAudit scanner — it shows you DKIM, SPF, and DMARC at a glance.

Common mistakes

External nameservers, forgot DKIM. The most common stumbling block: as soon as you enter your own nameservers, the automatic DKIM activation is gone. Then you have to publish the key yourself.

Assumed DKIM also covers external sending. The automatic signing applies to mail from the united-domains mailboxes. A newsletter service or Microsoft 365 needs its own DKIM entry.

Confused DKIM with encryption. DKIM signs, it doesn’t encrypt. Encryption needs other methods (TLS in transport, S/MIME or PGP in the content).

Further reading