How to set up DKIM on Cloudflare — including Amazon SES DKIM

I use Amazon SES for all my emailing. It makes it trivially cheap... pennies on the dollar compared to most other email systems.

Of course, this comes at a cost — I have to do quite a bit of set-up.

DKIM is one of those important things to set up. It stands for... something, it doesn't matter. What's important is what DKIM does.

DKIM says "Hy this random server somewhere is allowed to send emails on behalf of hooshmand.net and it's totally legitimate." That's what DKIM does. It's an authenticity certificate for email.

Setting up DKIM is a slightly confusing process as everyone has a different email system and DNS provider. I had to do a bit of experimenting to get it to work between SES and Cloudflare, which is why I'm publishing this.

Another service I use is Cloudflare. It's (basically) free edge caching and security for websites around the world. To get Cloudflare to work, you have to use it as your DNS provider.

So here's how to use Cloudflare's DNS settings to configure DKIM.

1. Get the DKIM settings

Get the DKIM settings from your web services account. For me, this is Amazon SES.

In Amazon SES console, go to "Identity" and "Domains".

Look at the settings. There should be three entries that you have to add to your DNS provider for DKIM to work.

DKIM settings in Amazon SES account
My DKIM settings (while I hadn't set it up correctly)

2. Add the settings in your Cloudflare account

Two things to note

  1. Add only the stem of the domain.
  2. Choose DNS Only.

On adding the stem of the domain: You get a record that will look something like abcd123498usdflkajsdfals._domainkey.yourdomain.com.

You want to omit the boldface parts (.yourdomain.com), and put in just abcd123498usdflkajsdfals._domainkey as the name of the record (no quotes).

For the content, paste the whole content, all the way through to "amazonses.com.

It's really important to choose DNS only, and not Proxied. If you choose proxied, your DKIM setup will fail.

Choose DNS only when setting up DKIM on cloudflare

3. Wait!

You normally have to wait up to 72 hours for DKIM to propagate.

In reality, it's usually between a few hours and a day. Sometimes (like the last time I did it) it's just a few minutes. It's unpredictable.

You'll probably get an email saying your DKIM setup was successful.

DKIM success email

But in my experience, more than a few hours and you've likely done something wrong.

Like this article? Drop me a line and say thanks.