Skip to main content

Hosted DKIM

The Hosted DKIM page lets you manage DKIM signing keys for your domain through Palisade. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, allowing receivers to verify that messages were authorized by the domain owner and not modified in transit.

note

Hosted DKIM requires DMARC monitoring to be set up first. Enable it from the gear menu on the Domain Overview page.

How It Works

When Hosted DKIM is active, Palisade manages DKIM key records for your domain via CNAME delegation. This lets you add, rotate, or remove DKIM keys without directly editing DNS.

Before You Enable

Not all DKIM keys can be automatically detected

Palisade detects many DKIM selectors from your DMARC reports, but not all selectors can be discovered automatically. DKIM keys are published under arbitrary names chosen by each sending service, and there is no single DNS record that lists them all. This means some active keys may not appear in Palisade — and those are the ones most likely to be missed during migration.

If a DKIM key is not carried over, that sending service's emails will fail DKIM authentication. Depending on your DMARC policy, this can cause messages to be sent to spam or rejected outright. Do not assume that the keys Palisade detected are the complete set.

Before enabling Hosted DKIM:

  1. Start with what Palisade detected — review the DKIM keys that Palisade has already discovered from your DMARC reports. These are a good starting point, but they are not guaranteed to be complete.
  2. Inventory your sending services — list every service that sends email on behalf of your domain (email provider, marketing platform, CRM, support desk, transactional email service, etc.).
  3. Find each service's DKIM selector — check the DKIM setup documentation for each service. Common selectors include google, selector1 / selector2 (Microsoft 365), s1 / s2, k1, mandrill, sendgrid, etc.
  4. Add any missing selectors in Palisade — compare your inventory with what Palisade detected and fill in any gaps.
  5. Cross-reference with DMARC reports — check the Senders List to identify services you may have overlooked.
  6. Enable the CNAME only after all keys are accounted for.
tip

If you are unsure which selectors are in use, check your DMARC reports — they show DKIM results including the selector name for each message. The Senders List is also helpful for identifying all active sending services.

Managing DKIM Keys

Each DKIM key entry includes:

  • Selector — the DKIM selector name (e.g., google, s1, selector1)
  • Key type — the cryptographic algorithm (typically RSA)
  • Status — whether the key is verified and active

You can add keys for each of your sending services. Most email providers document which selector name they use — check your provider's DKIM setup instructions.

Rotating Keys

When a sending service rotates its DKIM keys (changes the public key value), you need to update the key in Palisade. Some providers rotate keys automatically on a schedule — monitor for DKIM failures in your DMARC reports to catch rotations early.

Domain Status

A status badge at the top shows:

  • Active — DKIM CNAME records are verified and live
  • Verifying — waiting for DNS propagation
  • Error — DNS verification failed
  • Inactive — Hosted DKIM is not enabled