DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Zoho Mail, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Zoho Mail uses to sign.
Most ESPs (including Zoho Mail) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
TXT- Host
<your-selector>._domainkey- Value
v=DKIM1; k=rsa; p=<KEY_FROM_ZOHO>
- Zoho asks you to choose a selector when generating the key — `zoho` and `default` are common. Once chosen, the selector is fixed for that key.
- Zoho generates 2048-bit keys. The TXT value will exceed the 255-character single-string limit; most DNS providers split this automatically when pasting.
Where in Zoho Mail
The DKIM configuration lives in Zoho Mail Admin → Domains → <your-domain> → Email Configuration → DKIM.
Verify the records
After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.
dig +short TXT <selector>._domainkey.your-domain.comCommon pitfalls
- Zoho's DKIM verification step takes 30–60 minutes to recognize a freshly published TXT record even when DNS has propagated. The Verify button doesn't help — wait it out.
- If you migrate from Google Workspace to Zoho, remove Google's `_domainkey` records during cutover or you'll have multiple DKIM selectors active and may get flagged as spoofing.