DEV Community

S. Afsan
S. Afsan

Posted on • Originally published at mailermonk.com

How to set up DKIM for Zoho Mail

#email #dns #dkim #zoho

Originally published on mailermonk.com. Cross-posted here for reach — the canonical version lives on MailerMonk.

About this guide

Zoho Mail is a budget-friendly business mail platform. The DKIM step is unusual — you generate the selector inside the Zoho admin console rather than using a fixed name.

DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Zoho Mail, you publish one or more DNS records at <selector>._domainkey.<your-domain> containing the public key matching the private key Zoho Mail uses to sign.

Most ESPs (including Zoho Mail) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

Publish these DNS records

Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

Host:  <your-selector>._domainkey
Type:  TXT
Value: v=DKIM1; k=rsa; p=<KEY_FROM_ZOHO>
Enter fullscreen mode Exit fullscreen mode

Why this matters

  • Zoho asks you to choose a selector when generating the key in the Mail Admin Console (https://mailadmin.zoho.com → Domains → your domain → Email Configuration → DKIM). zoho is the conventional choice; once chosen, the selector is fixed for that key.
  • Zoho generates 2048-bit keys. The TXT value will exceed the 255-character single-string limit; most DNS providers (Cloudflare, Route 53, Namecheap, GoDaddy) split this automatically when pasting. If your provider does not, wrap the value as multiple quoted strings concatenated: "v=DKIM1; k=rsa; p=MIIBIj..." "...rest".
  • After the TXT record propagates, return to the Zoho admin console and click Verify. Only after Zoho validates the record will the Enable DKIM button appear — publishing DNS alone does not turn on signing.

Where in Zoho Mail

The DKIM configuration lives in Zoho Mail Admin → Domains → <your-domain> → Email Configuration → DKIM.

Verify the records

After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

dig +short TXT <selector>._domainkey.your-domain.com
Enter fullscreen mode Exit fullscreen mode

Common pitfalls

  • Zoho's DKIM verification step takes 30–60 minutes to recognize a freshly published TXT record even when DNS has propagated globally. Hitting the Verify button repeatedly does not help — wait it out and try again after an hour.
  • If you migrate from Google Workspace to Zoho, remove Google's _domainkey records during cutover or you'll have multiple DKIM selectors active and may get flagged as spoofing.
  • EU and US Zoho accounts use different DNS hosts. include:zoho.com is for global/US; EU customers must use include:zohomail.eu. The DKIM record is generated regardless, but the SPF mismatch will fail alignment for some receivers (especially Outlook.com and Yahoo EU).
  • The Zoho admin console occasionally shows the TXT value truncated in the UI. Always copy from the Copy button rather than selecting text manually — manual selection often misses the trailing characters of the public key.

Frequently asked questions

What selector should I use for Zoho Mail DKIM?

Zoho lets you choose any selector name when generating the key, but zoho is the de-facto standard and the one Zoho's own documentation uses in examples. Once you generate the key with a given selector, the selector is fixed for that key — to change it, generate a new key with the new selector and publish a second TXT record. You can run two selectors in parallel during a rotation without breaking anything.

Where do I find the DKIM key value in Zoho?

Sign in at https://mailadmin.zoho.com as an admin or super-admin → Domains (left menu) → click the domain you're configuring → Email Configuration → DKIM. Click Add Selector, choose a name (e.g. zoho), and Zoho generates the public-key TXT value. Copy it with the Copy button — do not select the text manually as the UI sometimes truncates trailing characters.

Why does Zoho's Verify button say the DKIM record is missing when dig shows it's published?

Zoho's verification probes a non-authoritative resolver that lags 30–60 minutes behind public DNS propagation. If dig +short TXT zoho._domainkey.your-domain.com from a public resolver (1.1.1.1, 8.8.8.8) returns the record, the record is live — just wait an hour and click Verify again. There's nothing wrong with your DNS.

Can I use Zoho Mail's DKIM with another provider's SPF and DMARC?

Yes — DKIM, SPF, and DMARC are independent. You can sign outbound Zoho mail with DKIM while your SPF record includes multiple senders (Zoho + your CRM + your marketing tool) and your single _dmarc record covers them all. DKIM alignment only requires that the d= tag in the DKIM signature matches the From: header domain, which Zoho handles when you authenticate your domain.

My Zoho DKIM key is over 255 characters — how do I publish it?

DNS TXT records have a 255-character per-string limit, but a single TXT record can contain multiple quoted strings concatenated. Modern DNS providers (Cloudflare, Route 53, Namecheap, GoDaddy, Google Domains) handle this automatically — paste the full key as one value and they split it. For older providers that don't auto-split, manually wrap it: "v=DKIM1; k=rsa; p=MIIBIj...first-255-chars" "...rest-of-key". Receivers reassemble the strings before parsing.

How long does it take for Zoho DKIM to start working?

Once you publish the TXT record, allow up to an hour for DNS propagation to Zoho's verification probe. After Zoho's Verify succeeds and you click Enable DKIM, signing starts on the next outbound message — there is no further delay. Receivers cache DKIM keys briefly (typically 5–15 minutes), so the first message may not verify at every receiver immediately but should be clean within 30 minutes.

Do I need to enable DKIM in Zoho even after the DNS record is verified?

Yes — verification only confirms the public key is reachable. You must explicitly click Enable DKIM for that selector in the Zoho admin console for Zoho to start signing outbound mail with the matching private key. Until you flip the switch, the TXT record exists but no signatures are produced, and DMARC will fail DKIM alignment.

Want continuous monitoring instead of one-shot DNS checks? MailerMonk watches your DKIM record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.

Top comments (0)