I need to setup SPK and DKIM record for mail.mydomain.com. I have set the following at namecheap -

For SPF -

Record type :TXT

Hostname : mail.mydomain.com

Value : v=spf1 ip4:x.x.x.x ~all

For DKIM -

Record type : TXT

Host : mailer._domainkey

Value : "v=DKIM1; k=rsa; p=LONGSTRING"

This does not work when checked with online checking tools like mail-tester, mxtoolbox etc.


Unlike one of the answers below, it is possible to setup records for subdomains as well. It is an issue with Namecheap (and likely other providers as well). You need to setup hostname like this-

SPF hostname : mail
DKIM hostname : mailer._domainkey.mail

Namecheap will automatically add the domain.com at the end. You don't need to add it. Also DNS propagation for DKIM records took over 15 hours.

Aditya Singh
  • 271
  • 1
  • 3
  • 7
  • Unless you are signing email for users with as `mailer._domainkey.mail`, the DKIM key will not be found. Assuming your users are sending mail with addresses llike `user@mydomain.com`, you should be signing for `mydomain.com`, in which case your DKIM record will not be found – BillThor May 22 '17 at 01:08
  • 2
    if you solved it, you should probably answer and accept your own question instead of editing – istepaniuk Aug 06 '19 at 16:28

2 Answers2


Like in the answer from BillThor, you probably NEED to set up SPF and DKIM for the example.com i.e. the hostname used in email addresses user@example.com, where mail.example.com is only a MX for the domain. But, to answer the exact question...

Unlike claimed on another answer, it is possible to set up both SPF and DKIM on every level. After all, example.com. is a subdomain of com. that is also a subdomain of ., not to even mention domains that are already next level subdomains, e.g. co.uk.

  • SPF records are defined (RFC 7208, 3) to be placed in the DNS tree at the owner name it pertains to, not in a subdomain under the owner name. The first line is for mail sent from user@example.com and the second for user@mail.example.com.

     example.com.       IN   TXT   "v=spf1 a mx -all"
     mail.example.com.  IN   TXT   "v=spf1 a mx -all"

    SPF is not inherited i.e. it doesn't protect subdomains. Additionally, for every subdomain with an A record that isn't intended for sending email you should add:

     sub.example.com.   IN   TXT   "v=spf1 -all"
  • DKIM recods are defined differently: DKIM Namespace (RFC 6376, is a subdomain:

All DKIM keys are stored in a subdomain named _domainkey. Given a DKIM-Signature field with a d= tag of example.com and an s= tag of foo.bar, the DNS query will be for

In the DKIM-Signature email header you can have d=example.com or d=mail.example.com, with the corresponding i=user@example.com / i=user@mail.example.com. Equivalent DNS records:

    selector._domainkey.example.com.        IN   TXT   "v=DKIM1; k=rsa; p=...
    selector._domainkey.mail.example.com.   IN   TXT   "v=DKIM1; k=rsa; p=...
  • Once you have implemented (and tested) SPF and DKIM, consider protecting the From header by implementing a DMARC policy (RFC 7489). A DMARC policy is inherited by all subdomains "unless subdomain policy is explicitly described using the sp tag" (section 6.3). E.g.

     _dmarc.example.com.  IN   TXT   "v=DMARC1; p=reject; aspf=s; adkim=s;"
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122

You should configure DKIM and SPF for the domain you are sending mail for. Given the subdomain mail.example.com. it is likely sending traffic for the example.com domain, and has email addresses like user@example.com.

In this case, you need to configure DKIM records under example.com rather than under mail.example.com. The SPF record for example.com could be as simple as v=spf1 a mx -all.

There is no reason why the mail server cannot send mail a different domain such as example.net and/or example.org. For each domain configure DKIM relative to that domain and an SPF record for that domain.

It is useful to define an SPF record for the mail server domain like v=spf1 a -all. This allow SPF validation of the host address.

You should also consider configuring DMARC records. These are defined relative to the domain in the sending email address rather than the domain that is sending the email.

I have posted on Securing your Email Reputation with SPF, Implementing DKIM with Exim and other subjects. The DNS details for DKIM are applicable to all mail servers.

  • 27,354
  • 3
  • 35
  • 69