DKIM for Zoho Mail: Setup and DNS Configuration Guide
How to set up DKIM for Zoho Mail. Step-by-step guide covering DKIM key generation in Zoho Admin, DNS record configuration, and verification.
Last updated: 2026-03-26
This guide is part of our Email Providers series.
If your business sends email through Zoho Mail, setting up DKIM is one of the most important steps you can take to protect your domain and improve deliverability. Without DKIM, receiving mail servers have no way to verify that messages claiming to come from your domain were actually authorized by you. That means your emails are more likely to land in spam folders or be rejected entirely. Whether you use Zoho Mail's free personal plan or Zoho Workplace for your team, configuring DKIM, SPF, and DMARC together gives your domain the best chance of reaching every inbox.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. Receiving servers check that signature against a public key stored in your DNS records. If the signature matches, the email is confirmed as authentic and unaltered.
How DKIM Works With Zoho Mail
Zoho Mail has built-in DKIM key management, which means you do not need to generate keys manually or install anything on a server. The Zoho Admin Console handles key generation for you. When you enable DKIM for your domain, Zoho creates a key pair: a private key that Zoho keeps on its servers to sign your outgoing emails, and a public key that you publish as a DNS TXT record on your domain. Every email sent through Zoho Mail is then signed automatically, and receiving servers can verify the signature by looking up your public key in DNS.
Zoho assigns a default DKIM selector - typically a generated string like zmail - to identify the key. You can also create additional selectors if you manage multiple domains or want to rotate keys on a schedule.
Setting Up DKIM in Zoho Mail
Open the Zoho Admin Console
Log in to the Zoho Admin Console at admin.zoho.com. You need to be an administrator for your organization to access DKIM settings. Navigate to Mail Administration in the left sidebar, then select Domains.
Select your domain
Click on the domain you want to configure DKIM for. If you have multiple domains in your Zoho account, make sure you select the correct one. Zoho needs to manage email for this domain before DKIM can be enabled.
Navigate to DKIM settings
Within the domain settings, click on DKIM. This section shows any existing DKIM configurations and lets you add new ones.
Generate a new DKIM key
Click Add to create a new DKIM selector and key pair. Zoho will generate the key pair and display the TXT record value you need to add to your DNS. Copy the full TXT record - it includes the selector name, the record host, and the public key value.
Add the TXT record to your DNS
Go to your DNS provider (wherever you manage your domain's DNS records) and create a new TXT record using the values Zoho provided. The hostname will follow the format selector._domainkey.yourdomain.com.
Verify and activate in Zoho
Return to the Zoho Admin Console and click Verify. Zoho checks your DNS for the TXT record. Once verified, activate the DKIM selector so Zoho begins signing outgoing emails with that key. DNS changes can take a few minutes to several hours to propagate.
DNS Record Details
When you add the DKIM TXT record to your DNS, use the exact values from the Zoho Admin Console. Here is what each field should contain:
| DNS Field | Value |
|---|---|
| Host / Name | `zmail._domainkey` (or your custom selector followed by `._domainkey`) |
| Type | TXT |
| Value | The full public key string provided by Zoho (starts with `v=DKIM1;`) |
| TTL | 3600 (1 hour) or your provider default |
Copy the TXT record value exactly as Zoho provides it. Even a single missing character will cause DKIM verification to fail. If your DNS provider has a character limit for TXT records, you may need to split the value into multiple quoted strings - most modern providers handle this automatically.
Need to generate a custom DKIM key?
DKIM Creator generates key pairs instantly in your browser. Useful for testing, backup keys, or domains not yet connected to Zoho.
Understanding Zoho DKIM Selectors
A DKIM selector is a label that tells receiving servers which public key to look up in your DNS. Zoho typically assigns a default selector like zmail, but you can create additional selectors at any time through the Admin Console. This is useful in several situations:
- Key rotation - Create a new selector with a fresh key pair periodically. Keep the old DNS record active for a week or two to cover emails still in transit, then remove it.
- Multiple domains - Each domain in your Zoho account gets its own DKIM configuration and selector. You manage them independently.
- Testing - Set up a separate selector for staging or testing environments so you can validate DKIM without affecting production email.
To check which selector Zoho is using, look at the email headers of a sent message. The DKIM-Signature header includes a s= field that shows the active selector.
Using Zoho Mail Alongside Other Email Services
Many businesses use Zoho Mail for day-to-day communication but rely on other services for transactional email, marketing campaigns, or CRM notifications. Each service that sends email on behalf of your domain should have its own DKIM configuration.
For example, if you use Zoho Mail for team email and a transactional provider like SendGrid or Mailgun for application notifications, each service needs a separate DKIM selector and DNS record. This works because DKIM selectors are independent - you can have multiple _domainkey TXT records under the same domain without conflict.
Your SPF record also needs to include all services authorized to send email for your domain. A combined SPF record might look like:
v=spf1 include:zoho.com include:sendgrid.net ~all
Pair SPF and DKIM with a DMARC policy to get full protection. A basic DMARC record to start with:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Set p=none initially so you can monitor reports without blocking any email. Once you confirm everything is aligned, move to p=quarantine or p=reject.
Troubleshooting Zoho DKIM Issues
Verification fails in Zoho Admin Console
- DNS propagation can take up to 48 hours, though most changes appear within an hour. Wait and try verifying again.
- Double-check that the TXT record hostname matches exactly what Zoho specified, including the
._domainkeysuffix. - Some DNS providers add your domain automatically to the hostname. If Zoho says to use
zmail._domainkey.yourdomain.com, you may only need to enterzmail._domainkeyas the host - check your provider's documentation.
Emails still failing DKIM checks after activation
- Confirm the selector is activated (not just verified) in the Zoho Admin Console.
- Check email headers for the
DKIM-Signaturefield. If it is missing, the selector may not be active. - Ensure the sending address matches the domain you configured DKIM for.
DMARC failures despite DKIM passing
- DMARC requires alignment - the domain in the
Fromheader must match the domain used in the DKIM signature. Verify that your From address uses the same domain where DKIM is configured. - Check your SPF record as well. DMARC passes if either SPF or DKIM is aligned, but having both configured correctly gives the best results.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- Zoho Mail official documentation — DKIM configuration
Sending email through Zoho Mail? Make sure every message is authenticated with DKIM.
Set up DKIM for Zoho Mail
Generate DKIM keys instantly with DKIM Creator. Free, browser-based, and no signup required.
Generate DKIM Keys