Understand DKIM configuration when using Cloudflare Email Routing or Cloudflare as your DNS provider.
CNAME
Depends on your email provider
Depends on your email provider
Cloudflare Email Routing does not require its own DKIM record. Add DKIM records for your actual email sending provider. Cloudflare DNS is where you manage all DKIM records.
Cloudflare is typically your DNS provider, not your email sender. DKIM records for your email provider (Google Workspace, Microsoft 365, etc.) are added through Cloudflare's DNS dashboard.
Go to dash.cloudflare.com and select your domain.
Go to DNS > Records.
Add the DKIM TXT or CNAME records provided by your email service. Cloudflare DNS supports both record types.
# Example for Google Workspace:
google._domainkey TXT "v=DKIM1; k=rsa; p=YOUR_KEY"
# Example for Microsoft 365:
selector1._domainkey CNAME selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.comAfter adding DKIM records in Cloudflare DNS, verify them in your email provider's dashboard.
After adding your DNS records, use our free DKIM checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.
No. Cloudflare Email Routing forwards email and does not add its own DKIM signature. DKIM signing is handled by your email sending provider.
Go to DNS > Records in your Cloudflare dashboard. Add the TXT or CNAME records provided by your email service. Ensure the proxy is set to DNS-only (gray cloud).
Email DNS records (MX, TXT for SPF/DKIM, CNAME for DKIM) must resolve directly, not through Cloudflare's HTTP proxy. The orange cloud proxy is only for web traffic.