Skip to content
Last update: 2022-06-28

DKIM keys

Manage your DKIM keys to sign and authenticate outbound emails.

DomainKeys Identified Mail (DKIM) is used to authorize an email by verifying its digital signature, which associates a domain name with the email. See DKIM.

Outbound DKIM signing

To set up outbound DKIM signing, you need to generate a DKIM key in Sophos Email.

A public key is generated which you use to create and publish a DKIM TXT record, and a private key in generated in the background.

When you send an email, Sophos Email applies policy settings to the email and then creates a hash of the mail content and adds a new header.


The hash is encrypted by your private key.

When the receiving mail server sees that an email has a DKIM signature, it does a DNS lookup to find the DKIM TXT record associated with the sending domain. It uses the public key to decrypt the digital signature back to the hash value. It then takes the elements of the message that were signed and creates it's own hash that it compares it to the decrypted hash. If these do not match, the DKIM check will fail.

Add a DKIM key

Add a DKIM record to your domain so that outgoing mail will be signed and authenticated against your domain.

Generate a DKIM key in Sophos Email and create a DNS TXT record for your domain.


If you have smart banners turned on, we strongly recommend that you sign emails with a DKIM key. We remove the banners on outbound replies, which modifies the emails.

  1. Go to Global Settings > Domains settings/status and click on the domain you want to add a DKIM key to.
  2. Click Add key.
  3. Copy the DKIM information that is generated automatically and use it to create a DNS TXT record for your domain.

    You need to speak to your third party DNS provider about setting this up.


    A key pair is generated by Sophos Email. The private key is generated in the background and is stored in Sophos Email. The public key is visible in the DKIM information and is used to create your DNS TXT record.

  4. Wait for the DNS TXT record to propagate. This may take up to an hour.

  5. Once your DNS TXT record has been published, click on Test record to check that your DNS TXT record matches the information in Sophos Email.


    If the test fails, check your DNS TXT record, correct any mistakes, and click Test record.

  6. Activate the DKIM key then click Save.

The DKIM key is activated. Note that this deactivates any other active DKIM key for that domain.

You can now add DKIM keys for your other domains.

Back to top