Adding DKIM Records in DigitalOcean: DNS Setup Guide
How to add DKIM DNS records in DigitalOcean. Step-by-step guide covering the DigitalOcean DNS management panel and TXT record configuration.
Last updated: 2026-05-20
This guide is part of our Setup & Configuration resources.
DigitalOcean is a popular choice for hosting Droplets and managing DNS, but it does not provide email hosting on its own. If you run a mail server on a Droplet or use a third-party email service like SendGrid or Postmark, you still need to add DKIM records to your DigitalOcean DNS so that receiving mail servers can verify your messages. This guide walks through the entire process using the DigitalOcean Control Panel. For general DKIM background, see our complete DKIM guide.
What You Need Before You Start
Before heading into the DNS panel, make sure you have a few things ready:
- A DKIM key pair - a public key for DNS and a private key for your mail server or email service.
- Your selector name - the label that identifies which DKIM key to look up (for example,
default,mail, orsendgrid). See DKIM selectors explained if you need help choosing one. - Access to the DigitalOcean Control Panel - you need to be logged in and have your domain added under Networking.
If you have not generated your DKIM keys yet, you can create them in seconds with DKIM Creator. Keys are generated in your browser and never leave your machine.
Generate your DKIM keys
Create a DKIM key pair instantly. Browser-based, free, and private.
Understanding DigitalOcean DNS and Email
DigitalOcean DNS is a straightforward domain management service that many teams use alongside their Droplet infrastructure. It supports TXT records, CNAME records, and all the standard DNS record types you would expect.
However, there is one important distinction to keep in mind: DigitalOcean does not offer email hosting. You are typically using DigitalOcean DNS in one of two scenarios:
- Self-hosted mail server - You run Postfix, OpenDKIM, or a similar stack on a Droplet and manage DNS through DigitalOcean.
- Third-party email service - You use a transactional or marketing email provider (SendGrid, Postmark, Mailgun, Amazon SES) and point your DNS records at DigitalOcean.
In both cases, you need to add a DKIM TXT record to your domain's DNS zone so that recipient servers can look up your public key and verify email signatures.
Your email provider will usually tell you exactly what hostname and value to use for your DKIM record. If you are self-hosting, you will generate the record yourself using a tool like DKIM Creator.
Adding a DKIM TXT Record in DigitalOcean
Here is the step-by-step process for adding your DKIM record through the DigitalOcean Control Panel.
Open the Networking panel
Log in to your DigitalOcean account and click Networking in the left sidebar of the Control Panel. This is where all your domain and DNS settings live.
Select your domain
Under the Domains tab, find and click on the domain you want to add the DKIM record to. This opens the DNS records management view for that domain.
Choose TXT as the record type
At the top of the DNS records page, you will see tabs for different record types (A, AAAA, CNAME, MX, TXT, NS, SRV). Click the TXT tab, then click Add Record or use the form that appears.
Enter the hostname
In the Hostname field, enter your selector followed by ._domainkey. For example, if your selector is mail, type mail._domainkey. DigitalOcean will automatically append your domain name, so the full DNS entry becomes mail._domainkey.yourdomain.com.
Paste the DKIM record value
In the Value field, paste the full DKIM record string. This starts with v=DKIM1; and includes your public key. Make sure you copy the entire value without any extra spaces or line breaks.
Set the TTL
The TTL (Time to Live) defaults to 1800 seconds (30 minutes) in DigitalOcean. This is a reasonable default. You can leave it as-is or increase it to 3600 (1 hour) once you have confirmed everything works.
Save the record
Click Create Record to save. Your DKIM TXT record is now published in DigitalOcean DNS. It may take a few minutes to an hour for the change to propagate across the internet.
DigitalOcean DNS Record Fields at a Glance
Use this table as a quick reference when filling out the form in the Control Panel.
| Field | What to Enter |
|---|---|
| **Record Type** | TXT |
| **Hostname** | `selector._domainkey` (e.g., `mail._domainkey`) |
| **Value** | Your full DKIM record (starts with `v=DKIM1;`) |
| **TTL** | 1800 (default) or 3600 |
Make sure the hostname field contains only selector._domainkey and not the full domain. DigitalOcean appends the domain automatically. If you type the full domain, you will end up with a record at mail._domainkey.yourdomain.com.yourdomain.com, which will not work.
Adding a DKIM CNAME Record Instead
Some email providers, like Microsoft 365, give you a CNAME record instead of a TXT record for DKIM. DigitalOcean supports this as well. The process is nearly identical:
- Click the CNAME tab instead of TXT.
- Enter the hostname your provider specifies (e.g.,
selector1._domainkey). - Paste the target value your provider gives you (e.g.,
selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com). - Save the record.
If you are not sure whether to use TXT or CNAME, check with your email provider or read our guide on DKIM TXT vs CNAME records. For self-hosted setups and most third-party services, TXT is the standard choice.
Verifying Your DKIM Record
After saving the record, give DNS a few minutes to propagate. Then verify it is live by running a DNS lookup. You can use the terminal on your Droplet or any machine:
dig TXT mail._domainkey.yourdomain.com +short
Replace mail with your actual selector and yourdomain.com with your domain. You should see your DKIM record value in the response.
If nothing comes back, wait a bit longer. DigitalOcean DNS updates are usually fast, but full propagation can take up to a couple of hours depending on caching.
Common Mistakes with DigitalOcean DKIM Records
Duplicating the domain in the hostname - The most frequent error. Type mail._domainkey, not mail._domainkey.yourdomain.com. DigitalOcean adds the domain for you.
Truncated record value - DKIM public keys for 2048-bit keys are long. Make sure you have copied the entire value. If the record looks cut off, double-check the source. See DKIM record too long for solutions.
Wrong record type - If your email provider gave you a CNAME target, do not paste it into a TXT record. Use the correct record type as specified by your provider.
Forgetting to configure the mail server - Adding the DNS record is only half of the setup. Your mail server or email service also needs the private key installed and DKIM signing enabled. The DNS record lets receivers look up your public key, but your server has to actually sign outgoing messages.
Test with a real email
After setup, send a test email to a Gmail address. Open the message, click the three dots, and select "Show original." Look for dkim=pass in the Authentication-Results header to confirm everything is working.
DigitalOcean DNS with Third-Party Email Services
If you use a service like SendGrid, Postmark, or Mailgun for sending email, they will provide you with the exact DKIM records to add. The process in DigitalOcean is the same - go to Networking, select your domain, and add the TXT or CNAME records they specify.
Most of these services require you to add two or three DNS records total (DKIM plus SPF and sometimes a verification record). Follow their documentation for the specific values and use the DigitalOcean steps above to enter each one.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- RFC 1035 — Domain Names — Implementation and Specification
- DigitalOcean DNS — DNS management documentation
Ready to add DKIM to your DigitalOcean domain? Generate your keys first.
Generate DKIM keys for DigitalOcean
Create your DKIM key pair in seconds. Paste the public key into DigitalOcean DNS and you're set.
Generate Keys