Skip to content

DKIM keys

Manage your DKIM keys to sign and authenticate outbound emails.

DomainKeys Identified Mail (DKIM) is used to authorize an email by verifying its digital signature, which associates a domain name with the email. See DKIM.

Outbound DKIM signing

To set up outbound DKIM signing, you need to generate a DKIM key in Sophos Email.

A public key is generated which you use to create and publish a DKIM TXT record, and a private key is generated in the background.

When you send an email, Sophos Email applies policy settings to the email, creates a hash of the mail content, and adds a new header.


The hash is encrypted by your private key.

When the receiving mail server sees that an email has a DKIM signature, it does a DNS lookup to find the DKIM TXT record associated with the sending domain. It uses the public key to decrypt the digital signature back to the hash value. It then takes the elements of the signed message and creates its own hash that compares it to the decrypted hash. If these don't match, the DKIM check will fail.

Add a DKIM key

Add a DKIM record to your domain so that outgoing mail will be signed and authenticated against your domain.

Generate a DKIM key in Sophos Email and create a DNS TXT record for your domain.


The size of a DKIM key is 2048 bits.


If you have smart banners turned on, we strongly recommend that you sign emails with a DKIM key. We remove the banners on outbound replies, which modifies the emails.

To add a DKIM key, do as follows:

  1. Go to My Products > General Settings > Domains Settings / Status and click the domain to which you want to add a DKIM key.
  2. Click Add key.
  3. Copy the DKIM information that is generated automatically and use it to create a DNS TXT record for your domain.

    For details on how to create a DNS TXT record, contact your DNS provider.


    A key pair is generated by Sophos Email. The private key is generated in the background and is stored in Sophos Email. The public key is visible in the DKIM information and is used to create your DNS TXT record.

  4. Wait for the DNS TXT record to propagate. This may take up to an hour.

  5. Once your DNS TXT record has been published, click Test record to check that your DNS TXT record matches the information in Sophos Email.


    If the test fails, check your DNS TXT record, correct any mistakes, and click Test record.

  6. Activate the DKIM key, then click Save.

The DKIM key is activated. Note that this deactivates any other active DKIM key for that domain.

You can now add DKIM keys for your other domains.