DKIM explained: what it is and why every cold sender needs it
What DKIM does, why 2048-bit, how propagation works, what Inboxlee sets automatically.
Rejwan Nirob·Apr 20, 2026·5 min readDKIM (DomainKeys Identified Mail) is a cryptographic signature attached to every email you send. Mailbox providers use it to verify the email was actually sent from your domain - not spoofed by someone else.
Why 2048-bit
1024-bit keys are now considered weak. Google flags them. Modern best practice is 2048-bit RSA. Inboxlee generates and rotates 2048-bit keys automatically on every domain you provision.
What Inboxlee sets up for you
- DKIM TXT record at google._domainkey (2048-bit)
- SPF record with Google Workspace include
- DMARC policy at p=quarantine (progressive to p=reject)
- Background polling until the records propagate (typically 5–30 minutes)
Frequently asked
What is DKIM in plain English?
DKIM is a cryptographic signature on every email you send. The receiving server uses your published public key to verify the message actually came from your domain and was not modified in transit. Without DKIM, the receiver has no way to prove authenticity.
Is 1024-bit DKIM still acceptable in 2026?
No. 1024-bit keys are now considered weak and Google flags them in Postmaster Tools. Modern best practice is 2048-bit RSA. Inboxlee generates 2048-bit keys by default and rotates them automatically every 12 months using the dual-selector method.
How long does DKIM take to propagate after I add the record?
Typically 5 to 30 minutes for global DNS propagation. Inboxlee polls the actual mailbox provider (not just DNS) every 60 seconds and only marks the mailbox live once the provider confirms DKIM verification - avoiding the false positive of a record being cached globally but not yet picked up by Google.
Do I need a different DKIM key for every domain?
Yes. Each domain publishes its own DKIM public key as a TXT record at selector._domainkey.yourdomain.com. Inboxlee provisions and verifies a unique 2048-bit key per domain automatically.