Features Pricing
Learn
What is DMARC? What is SPF? What is DKIM? What is BIMI?
Free Tools
DMARC Checker SPF Checker DKIM Checker BIMI Checker MTA-STS Checker Blacklist Checker Header Analyzer Domain Scanner Phishing URL Checker Email Verification BIMI Logo Converter Academy Blog Docs About Contact
Sign in Start →

Managed DKIM

Managed DKIM lets you generate, publish, and rotate DKIM key pairs directly through SpoofWard. Instead of manually creating keys and managing DNS records, SpoofWard handles the cryptographic key generation and provides you with the exact DNS records to publish at your DNS provider.

Business+ Feature

Managed DKIM is available on Business and Enterprise plans. Pro plans can use the DKIM Checker tool to verify externally managed keys.

How DKIM Works

DKIM (DomainKeys Identified Mail) uses public-key cryptography to sign outgoing email. The sending server signs each message with a private key, and the receiving server verifies the signature using the public key published in your DNS. This proves the message was authorized by the domain owner and has not been tampered with in transit.

Generating a DKIM Key Pair

  1. Navigate to the domain's DNS Management page
  2. Click the DKIM tab
  3. Click Generate New Key Pair
  4. Configure the key settings:
    • Key Size — Choose 1024-bit or 2048-bit (see Key Size Considerations below)
    • Selector — Enter a selector name (see Selector Naming below)
  5. Click Generate
  6. SpoofWard generates the key pair and displays the DNS TXT record you need to publish

Key Size Considerations

  • 1024-bit — Widely supported and compatible with all DNS providers. Suitable for most use cases. The DNS TXT record value fits within a single 255-character DNS string.
  • 2048-bit — Stronger security and recommended for organizations with elevated security requirements. The DNS TXT record value exceeds 255 characters, which requires the record to be split across multiple strings. Most modern DNS providers handle this automatically.
Recommendation

Use 2048-bit keys for new deployments. The added security is significant, and compatibility issues with split TXT records are rare with modern DNS providers. Only use 1024-bit if your DNS provider cannot handle records longer than 255 characters.

Selector Naming

A selector is a label that identifies which DKIM key to use for verification. The selector becomes part of the DNS record name: [selector]._domainkey.yourdomain.com.

Best practices for selector names:

  • Use descriptive names that indicate purpose or date, such as spoofward2025 or primary-q1
  • Avoid generic names like default or key1 that may conflict with selectors used by email service providers
  • Keep selectors short and lowercase — only letters, numbers, and hyphens are allowed
  • Include a date or version component to simplify key rotation tracking

Publishing the DNS Record

After generating the key pair, SpoofWard displays the DNS TXT record you need to add at your DNS provider.

  1. Copy the record name and value shown on the Managed DKIM page
  2. Log in to your DNS provider
  3. Create a new TXT record with the provided name and value
  4. Save the record and wait for DNS propagation (typically 15 minutes to 48 hours depending on TTL)
  5. Return to SpoofWard and click Verify Published Record

SpoofWard checks DNS to confirm the record is published correctly. Once verified, the key status changes to Active.

Important

The private key is stored securely in SpoofWard and is never displayed or downloadable. If you need to configure the private key on your mail server, export it immediately after generation using the Export Private Key option. This option is only available once.

Key Rotation

Regular key rotation limits the window of exposure if a private key is compromised. SpoofWard supports both manual and scheduled key rotation.

Manual Rotation

  1. Generate a new key pair with a new selector
  2. Publish the new DNS record alongside the existing one
  3. Configure your mail server to sign with the new key
  4. Wait 48–72 hours for DNS caches to update and in-flight messages to be delivered
  5. Remove the old DNS record
  6. In SpoofWard, mark the old key as Retired

Scheduled Rotation

Automate key rotation on a recurring schedule:

  1. Navigate to DNS Management → DKIM → Rotation Settings
  2. Enable Scheduled Rotation
  3. Set the rotation interval:
    • Monthly — High-security environments
    • Quarterly — Recommended for most organizations
    • Biannually — Minimum recommended frequency
  4. Click Save

When a scheduled rotation occurs, SpoofWard generates the new key pair, notifies you with the DNS record to publish, and provides a grace period before the old key is retired.

Tip

If you use a connected DNS provider (GoDaddy, Route 53, Azure DNS, or Google Cloud DNS), SpoofWard can publish the new DKIM record automatically during rotation, eliminating the manual DNS step.

Managing Keys

The DKIM management page shows all keys for the domain with their current status:

  • Active — Currently in use for signing and verification
  • Pending — Generated but DNS record not yet verified
  • Retiring — Being phased out; a newer key is active
  • Retired — No longer in use; DNS record can be safely removed

For each key you can:

  • View the public key and DNS record details
  • Verify the DNS record is still published correctly
  • Copy the DNS record for manual publication
  • Retire an active key (after a replacement is active)
  • Delete a retired key from SpoofWard's records

Verification

SpoofWard continuously monitors your published DKIM records:

  • Record presence — Checks that the TXT record exists in DNS
  • Record accuracy — Verifies the published key matches the generated key
  • Key strength — Flags keys using deprecated or weak algorithms
  • Rotation age — Warns when a key has not been rotated within the recommended timeframe

If any issue is detected, an alert is raised based on your configured alert channels.

Troubleshooting

  • Verification fails after publishing — DNS propagation can take up to 48 hours. Wait and try again. Ensure you copied the full TXT record value without truncation.
  • 2048-bit key not resolving — Some older DNS providers do not handle split TXT strings correctly. Verify the record is published as a single TXT record with multiple quoted strings, not multiple TXT records.
  • Selector already in use — Each selector must be unique per domain. Choose a different selector name if the one you entered is already taken.
  • DKIM signature failing after rotation — Ensure your mail server is configured to use the new private key and selector. The old key must remain published in DNS until all in-flight messages have been delivered.

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →