It's a common point of confusion when setting up email authentication: does the DKIM record go on your main (or root) domain, or does it need to be on a subdomain? The short answer is that it almost always involves a subdomain, but the nuances depend on how you send email.
A DKIM record is not placed directly on your root domain (like yourdomain.com). Instead, it's published at a specific hostname that includes a unique "selector." This structure inherently creates a subdomain.
Understanding the DKIM record structure
DKIM, or DomainKeys Identified Mail, works by adding a digital signature to your outgoing emails. Receiving servers verify this signature using a public key that you publish in your domain's DNS records. The location of this record is not arbitrary. It follows a specific format:
selector._domainkey.yourdomain.com
Let's break this down:
- Selector: This is a unique identifier you choose. It allows you to have multiple DKIM keys for the same domain, which is useful if you send email from different platforms. For example, you might have one selector for Google Workspace and another for your marketing platform.
- _domainkey: This is a standard, required part of the DKIM specification.
- yourdomain.com: This is the domain the key is for, which could be your root domain or a subdomain you send email from.
As you can see, the full hostname selector._domainkey acts as a subdomain of your main domain. So, technically, all DKIM records are published on a subdomain.
Root domain vs. subdomain authority
The more practical question is whether the DKIM signature should authenticate your root domain or a sending subdomain. When you send an email, the DKIM signature in the header contains a d= tag. This tag specifies which domain is taking responsibility for the message. This can be your root domain (d=yourdomain.com) or a subdomain (d=mail.yourdomain.com).
When you use a third-party email service provider (ESP) like Mailgun, Customer.io, or Klaviyo, they will typically instruct you to set up DKIM records that point to their servers. This is often done using a CNAME record. This approach keeps their sending infrastructure separate from your primary domain records.
Why sending from a subdomain is a good idea
It is a widely-accepted best practice to use a subdomain for sending marketing or transactional emails, rather than using your root domain. For example, you might send from news@updates.yourcompany.com instead of news@yourcompany.com.
This separates the reputation of your marketing emails from your corporate, day-to-day emails. If your marketing list has deliverability issues, it won't impact the crucial emails sent between your employees and clients from your root domain.
In this scenario, you would publish a DKIM record specifically for the sending subdomain. The record would be located at a hostname like:
selector._domainkey.updates.yourcompany.com
This setup aligns perfectly for DMARC, as the domain in the `From:` header (updates.yourcompany.com) matches the domain in the DKIM signature (d=updates.yourcompany.com).
Final recommendation
To summarize, while all DKIM records live on a specific type of subdomain (selector._domainkey), the key decision is whether that record authenticates your root domain or a sending subdomain. For most businesses, especially those using third-party sending services, the best practice is to:
- Send marketing and transactional emails from a dedicated subdomain.
- Publish DKIM (and SPF) records for that specific sending subdomain.
- Ensure your root domain is also authenticated for corporate email, preventing spoofing attempts on your primary brand identity.
