DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Brevo, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Brevo uses to sign.
Most ESPs (including Brevo) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
TXT- Host
mail._domainkey- Value
k=rsa; p=<KEY_FROM_BREVO>
- Brevo uses the literal selector `mail` and publishes the raw key as TXT. Some other guides reference an `s1`/`s2` pair — that's an older multi-key setup; current Brevo accounts use `mail` only.
Where in Brevo
The DKIM configuration lives in Brevo → Senders, Domains & Dedicated IPs → Domains → Authenticate this domain.
Verify the records
After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.
dig +short TXT <selector>._domainkey.your-domain.comCommon pitfalls
- Brevo's free tier sends from `@sendinblue.com` until you authenticate a domain — even after authentication, transactional mail through the SMTP relay defaults to a random subdomain unless you explicitly configure the From: address.
- The Sendinblue → Brevo rebrand left some docs and DNS templates with stale `sendinblue.com` references. The current canonical DNS host is `brevo.com`.