D
DKIM Creator

DKIM for Multiple Domains: Setup and Key Management Guide

How to manage DKIM across multiple domains. Guide covering key generation, DNS setup, selector strategies, and key rotation for multi-domain email environments.

Last updated: 2026-05-27

If your business sends email from more than one domain, each domain needs its own DKIM configuration. A shared key across domains is not possible - DKIM ties every key pair to a specific domain name. That means you need a clear plan for generating keys, publishing DNS records, and keeping everything organized as your domain portfolio grows.

Browse all How It Works guides.

Why Each Domain Needs Its Own DKIM Keys

DKIM works by linking a private key (used to sign outgoing messages) with a public key (published in DNS under your domain), as defined in RFC 6376. The receiving mail server checks the signature against the public key at selector._domainkey.yourdomain.com. Because that DNS path includes the domain name, keys from one domain simply will not work for another.

This applies even if all your domains send through the same mail server. Each domain must have:

  • Its own key pair (private and public)
  • Its own DNS TXT record containing the public key
  • A selector name assigned in your mail server configuration

You can use the same mail server to send email for many domains. What you cannot do is reuse a single DKIM key pair across those domains - each domain needs its own.

Same vs. Different Selectors Across Domains

When managing DKIM for several domains, you will need to decide whether to use the same selector name everywhere or to vary it per domain.

ApproachProsCons
Same selector everywhere (e.g., `mail`)Simple to remember. Consistent configuration across domains.Rotating keys for one domain could cause confusion with others.
Different selectors per domainEach domain is fully independent. Easy to isolate issues.More names to track. Slightly more setup effort.
Date-based selectors (e.g., `2026q4`)Rotation history is built into the name. Works well across all domains.Requires a naming convention everyone follows.

For most small businesses, using the same date-based selector pattern across all domains is the simplest approach. It keeps things predictable without creating extra complexity.

Using a Consistent Naming Convention

A naming convention saves time and prevents mistakes as your domain count grows. Decide on a pattern early and stick to it. Some practical options:

  • Date-based - 2026q4, 2027q1 - shows when the key was created
  • Service-based - google, sendgrid, mailchimp - shows which platform signs with that key
  • Combined - google-2026q4 - captures both the service and the rotation period

Whichever pattern you choose, document it somewhere your team can reference. When you manage ten or more domains, a consistent convention is the difference between a smooth rotation cycle and a stressful troubleshooting session.

Generating Keys for Each Domain

The process for generating DKIM keys is the same regardless of how many domains you manage - you just repeat it for each one.

1

Open DKIM Creator

Go to DKIM Creator and start a new key generation.

2

Enter your first domain

Type the domain name (e.g., example.com) and choose your selector name following your naming convention.

3

Select your key size

Choose 2048-bit for strong security. Use 1024-bit only if your DNS provider has record length limits.

4

Generate and save

Copy the private key for your mail server and the DNS TXT record for your domain registrar. Store the private key securely.

5

Repeat for each domain

Go back and generate a new key pair for the next domain. Each domain gets its own unique keys.

Generate DKIM keys for your domains

Create key pairs for each domain in seconds. Free and private - keys never leave your browser.

Generate Keys

Managing DNS Records Across Multiple Registrars

Many businesses use different registrars or DNS providers for different domains. This adds a layer of coordination to DKIM management.

Keep a spreadsheet or internal document that tracks:

  • Domain name - the domain the key belongs to
  • DNS provider - where the DNS records for that domain are managed
  • Selector - the selector name in use
  • Date created - when the key was generated
  • Next rotation date - when the key should be replaced

When adding DKIM records, remember that the TXT record name follows the format selector._domainkey.yourdomain.com. Some DNS dashboards want you to enter the full name, while others only need the part before the domain (e.g., selector._domainkey). Check how your specific provider handles this to avoid publishing the record at the wrong location.

Verify after publishing

After adding a DKIM record at any registrar, verify it with a DNS lookup tool before moving on to the next domain. Catching a typo early is far easier than debugging delivery failures later.

DKIM with Subdomains

Subdomains like mail.example.com or news.example.com are treated as separate domains for DKIM purposes. If a subdomain sends email, it needs its own DKIM key pair and DNS record published under that subdomain.

For example, if your subdomain is news.example.com and your selector is 2026q4, the DNS record goes at:

2026q4._domainkey.news.example.com

Some email services let you configure DKIM at the parent domain level and apply it to all subdomains automatically. Check your provider's documentation - but when in doubt, set up DKIM explicitly for each subdomain that sends mail. It is the more reliable approach.

Key Rotation Strategy for Multiple Domains

Rotating keys across many domains requires planning. Doing them all at once is risky - a single mistake could disrupt email for every domain simultaneously.

StrategyBest For
Staggered rotation (a few domains per week)Businesses with 5+ domains. Limits blast radius of any error.
Quarterly rotation on a fixed scheduleTeams that want a predictable cadence. Easy to plan around.
Annual rotation during low-traffic periodsSmall businesses with fewer domains and lower email volume.
Immediate rotation after security eventsAny organization. Always rotate if a private key may be compromised.

For each rotation, follow the standard process: generate new keys with a new selector, publish the new DNS record, wait for propagation, update the mail server, then retire the old record after one to two weeks.

Never remove an old DKIM DNS record on the same day you switch to a new key. Emails already in transit may still carry signatures from the old key. Keep both records live for at least one week.

Keeping It All Manageable

Managing DKIM across multiple domains is not technically difficult - it is an organizational challenge. The businesses that do it well share a few habits:

  • They use a consistent selector naming convention across all domains
  • They maintain a central record of every domain, selector, DNS provider, and rotation date
  • They stagger key rotation rather than doing everything at once
  • They verify DNS records immediately after publishing
  • They generate keys with a trusted tool that keeps the process fast and repeatable

The goal is to make DKIM management routine rather than reactive. With a clear system in place, adding a new domain to your portfolio takes minutes, not hours.

Related Articles

References

  • RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures

Managing DKIM across multiple domains starts with the right keys. Generate a pair for each domain in seconds.

DKIM keys for every domain

Generate key pairs for all your domains with DKIM Creator. Free, private, and browser-based.

Generate Keys Now