LogoSimply SendDOCS
    GuideDomain VerificationDKIM

    DKIM Configuration

    DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send, proving it really came from yourdomain.com.

    Overview

    DomainKeys Identified Mail (DKIM) is an email security standard designed to verify the sender domain and check if an email's content was altered in transit. It associates a domain name with an email message by signing the email headers with a cryptographic signature.

    Why It's Needed

    Cryptographic verification proves to receiving mail servers (such as Gmail, Outlook, and Yahoo) that the message is authentic and has not been hijacked. Setting up DKIM is one of the most effective ways to build a strong sender reputation, improve inbox placement rates, and satisfy modern deliverability requirements.

    Step 1: Retrieve Your DKIM Selectors

    Log in to Simply Send, go to the Domains page, select your domain, and navigate to the DNS Records page. Under the Email Authentication section, you will find your pre-generated DKIM selectors (simplysendo and simplysenda).

    Step 2: DNS Record Specifications

    Simply Send requires two separate DKIM records to support our dual-provider infrastructure. You must add both records to your DNS provider:

    Record TypeHost / NameValue / Points toTTLVerification Status
    CNAMEsimplysendo._domainkey.yourdomain.comsimplysendo.yourdomain.com.dkim.region.oracleemaildelivery.comAuto / 1 hourMandatory
    TXTsimplysenda._domainkey.yourdomain.comv=DKIM1; k=rsa; p=abcdefg123456...Auto / 1 hourMandatory

    Step 3: Configuration Guide & Critical Considerations

    Why are there two separate DKIM records?

    Simply Send routes emails across multiple underlying clouds (AWS SES and Oracle Cloud Infrastructure) depending on mail volume, speed, and delivery optimization rules.

    • The CNAME record delegates the DKIM key signing authority to Oracle Cloud, enabling seamless signing across our distributed OCI routing instances. Note that the region placeholder in the record value will be customized inside your Simply Send dashboard to match your specific OCI tenant region.
    • The TXT record contains the static RSA public key matching a private key secured within AWS SES, enabling instant cryptographic authentication for all AWS-routed transactional delivery paths.

    DNS Provider Naming Guidelines

    Different DNS registrars require different formats for the Host/Name field. Pay attention to whether your provider (e.g. Cloudflare, Route53, GoDaddy) automatically appends your domain name:

    • Cloudflare & Route 53: Accept the full subdomain string, e.g. simplysendo._domainkey.yourdomain.com
    • GoDaddy & Namecheap: Expect only the prefix, e.g. simplysendo._domainkey (they will automatically append .yourdomain.com to it)

    Sample DKIM Values Reference

    DKIM CNAME Configuration Example:

    simplysendo.yourdomain.com.dkim.us-ashburn-1.oracleemaildelivery.com

    DKIM TXT Public Key Configuration Example:

    v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4j... (truncated)

    Step 4: Verify and Activate

    Wait for Propagation

    DNS CNAME and TXT changes can take from 15 minutes to 24 hours to replicate globally across DNS resolvers.

    Enable in Console

    Once the DNS records show as verified, click "Enable DKIM" inside your Simply Send dashboard to start signing all outbound emails.

    Final Step: Enforce Policy (DMARC)

    With SPF and DKIM configured, set up DMARC to instruct receiving servers how to handle messages failing these checks.

    Configure DMARC