It's a common point of confusion when setting up email authentication: does the DKIM record go on your main (or root) domain, or does it need to be on a subdomain? The short answer is that it almost always involves a subdomain, but the nuances depend on how you send email.
A DKIM record is not placed directly on your root domain (like yourdomain.com). Instead, it's published at a specific hostname that includes a unique "selector." This structure inherently creates a subdomain.
DKIM, or DomainKeys Identified Mail, works by adding a digital signature to your outgoing emails. Receiving servers verify this signature using a public key that you publish in your domain's DNS records. The location of this record is not arbitrary. It follows a specific format:
selector._domainkey.yourdomain.com
Let's break this down:
As you can see, the full hostname selector._domainkey acts as a subdomain of your main domain. So, technically, all DKIM records are published on a subdomain.
The more practical question is whether the DKIM signature should authenticate your root domain or a sending subdomain. When you send an email, the DKIM signature in the header contains a d= tag. This tag specifies which domain is taking responsibility for the message. This can be your root domain (d=yourdomain.com) or a subdomain (d=mail.yourdomain.com).
When you use a third-party email service provider (ESP) like Mailgun, Customer.io, or Klaviyo, they will typically instruct you to set up DKIM records that point to their servers. This is often done using a CNAME record. This approach keeps their sending infrastructure separate from your primary domain records.
It is a widely-accepted best practice to use a subdomain for sending marketing or transactional emails, rather than using your root domain. For example, you might send from news@updates.yourcompany.com instead of news@yourcompany.com.
This separates the reputation of your marketing emails from your corporate, day-to-day emails. If your marketing list has deliverability issues, it won't impact the crucial emails sent between your employees and clients from your root domain.
In this scenario, you would publish a DKIM record specifically for the sending subdomain. The record would be located at a hostname like:
selector._domainkey.updates.yourcompany.com
This setup aligns perfectly for DMARC, as the domain in the `From:` header (updates.yourcompany.com) matches the domain in the DKIM signature (d=updates.yourcompany.com).
To summarize, while all DKIM records live on a specific type of subdomain (selector._domainkey), the key decision is whether that record authenticates your root domain or a sending subdomain. For most businesses, especially those using third-party sending services, the best practice is to: