Adding DKIM Records in Cloudflare: DNS Panel Walkthrough
How to add DKIM DNS records in Cloudflare. Step-by-step walkthrough of the Cloudflare DNS panel for adding TXT and CNAME DKIM records.
Last updated: 2026-05-12
This guide is part of our Setup & Configuration resources.
If your domain's DNS is managed through Cloudflare, adding DKIM records is straightforward. Cloudflare's DNS panel supports both TXT and CNAME record types, and changes typically propagate in under five minutes. This walkthrough covers exactly where to go and what to enter. For a general overview of the DKIM setup process, see our complete DKIM guide.
Before you start, you'll need your DKIM record values ready. Use DKIM Creator to generate your key pair - it takes a few seconds and everything stays in your browser.
Getting to the DNS Panel
The first step is navigating to the right place in the Cloudflare dashboard. If you manage multiple domains, make sure you select the correct one before adding records.
Log in to the Cloudflare dashboard
Go to dash.cloudflare.com and sign in with your account credentials. You'll land on your account home page showing all your domains.
Select your domain
Click on the domain you want to add DKIM records for. This opens the domain overview page with traffic stats and quick actions.
Open the DNS settings
In the left sidebar, click DNS and then Records. This is where all your domain's DNS records are listed - A records, MX records, TXT records, and everything else.
Click Add Record
Click the Add Record button near the top of the records list. A form will appear where you can choose the record type and enter the details.
Adding a DKIM TXT Record
Most DKIM setups use TXT records. If you generated your own keys or your email provider gave you a public key value starting with v=DKIM1;, this is the record type you need.
Set the record type to TXT
In the Type dropdown, select TXT. This tells Cloudflare you're adding a plain text DNS record.
Enter the record name
In the Name field, enter selector._domainkey - replacing selector with your actual DKIM selector name. For example, if your selector is mail, you'd enter mail._domainkey. Cloudflare automatically appends your domain name, so you don't need to include it.
Paste the DKIM value
In the Content field, paste your full DKIM record value. This is the string that starts with v=DKIM1; and includes your public key. Make sure you paste the entire value without any line breaks or extra spaces.
Save the record
Leave the TTL set to Auto (Cloudflare's default). Click Save to add the record.
No need to worry about proxy settings
Cloudflare's orange cloud proxy only applies to A, AAAA, and CNAME records that serve web traffic. TXT records are never proxied, so the proxy toggle won't even appear. Your DKIM TXT record will work correctly without any extra configuration.
Here's a quick reference for the field values:
| Cloudflare Field | What to Enter |
|---|---|
| **Type** | TXT |
| **Name** | `selector._domainkey` (e.g., `mail._domainkey`) |
| **Content** | Your DKIM value (starts with `v=DKIM1;`) |
| **TTL** | Auto |
Generate your DKIM TXT record
Create a DKIM key pair with properly formatted values ready to paste into Cloudflare.
Adding a DKIM CNAME Record
Some email providers - like Microsoft 365, SendGrid, and Mailchimp - use CNAME records instead of TXT records. With a CNAME, the record points to a hostname controlled by your provider, and they manage the actual DKIM key on their end.
Set the record type to CNAME
In the Type dropdown, select CNAME.
Enter the record name
In the Name field, enter the selector hostname your provider gave you. This is usually something like selector1._domainkey or s1._domainkey. Enter it exactly as your provider specifies.
Enter the target
In the Target field, paste the CNAME target your email provider gave you. This will be a hostname like selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com or similar.
Turn off the proxy
This step is important. Make sure the Proxy status toggle shows a grey cloud (DNS only), not an orange cloud. CNAME records used for DKIM must not be proxied - Cloudflare's proxy would interfere with the DNS lookup and break DKIM verification.
Save the record
Leave TTL on Auto and click Save.
Always set DKIM CNAME records to DNS only (grey cloud). If the orange cloud proxy is enabled on a DKIM CNAME record, receiving mail servers won't be able to look up your public key, and DKIM checks will fail.
TXT vs. CNAME: Which Do You Need?
Not sure which record type to use? Here's a quick breakdown:
| Situation | Record Type |
|---|---|
| You generated your own DKIM keys | TXT |
| Your provider gave you a key starting with `v=DKIM1;` | TXT |
| Your provider gave you a CNAME target hostname | CNAME |
| Microsoft 365 / SendGrid / Mailchimp setup | CNAME (usually) |
| Self-hosted mail server (Postfix, etc.) | TXT |
For a deeper comparison of TXT and CNAME DKIM records, see DKIM Records: TXT vs CNAME.
Verifying Your Record in Cloudflare
After saving, your new record will appear in the DNS records list. Cloudflare propagates changes very quickly - often in under five minutes, sometimes almost instantly. This is significantly faster than many other DNS providers where you might wait hours.
To confirm the record is live, you can run a DNS lookup from your terminal:
dig TXT selector._domainkey.yourdomain.com +short
You should see your DKIM value in the response. If you don't see anything, wait a few minutes and try again.
Common Mistakes to Avoid
Entering the full domain in the Name field. Cloudflare automatically appends your domain. If your domain is example.com and you enter mail._domainkey.example.com in the Name field, the actual record will be created at mail._domainkey.example.com.example.com - which is wrong. Just enter mail._domainkey.
Leaving the proxy on for CNAME records. This is the most common Cloudflare-specific mistake. TXT records aren't affected, but CNAME records will break if the orange cloud proxy is active. Always use DNS only (grey cloud) for DKIM CNAME records.
Pasting the key with line breaks. Some key generators output the public key across multiple lines. When pasting into Cloudflare's Content field, make sure it's a single continuous string with no line breaks. If your 2048-bit key is causing issues, see DKIM record too long.
Using the wrong selector name. Double-check that the selector in your DNS record name matches exactly what your mail server or provider is configured to use. A mismatch means receivers won't find your key.
What's Next?
Once your DKIM record is in Cloudflare and propagated, send a test email to verify that DKIM signing is working. Check the email headers for dkim=pass in the Authentication-Results.
For a complete guide covering Cloudflare-specific DKIM setup from key generation to verification, see the full DKIM for Cloudflare guide.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- RFC 1035 — Domain Names — Implementation and Specification
- Cloudflare DNS — Create DNS records
Ready to add DKIM records to your Cloudflare domain? Generate your keys first.
Generate DKIM keys for Cloudflare
Create your DKIM key pair in seconds. Copy the values straight into your Cloudflare DNS panel.
Generate DKIM Keys