BYODKIM: One TXT Record Instead of Three CNAMEs
Bring Your Own DKIM simplifies domain verification. We generate an RSA keypair, sign your emails, and you publish one TXT record. Here's the technical breakdown.
Domain authentication is the single most important factor in whether your emails reach the inbox. But the traditional DKIM setup — three CNAMEs, waiting for propagation, hoping nothing breaks — is painful. We built BYODKIM to fix that.
How traditional DKIM works
Most email providers use what's called "Easy DKIM." They generate an RSA keypair, then give you three CNAME records to publish. Each CNAME points to a different selector that the provider manages. This approach has its merits — the provider can rotate keys without you lifting a finger — but it comes with trade-offs:
- Three DNS records to manage instead of one
- CNAME chain resolution adds latency to DNS lookups
- No control over the signing key
How BYODKIM works
With BYODKIM, Relay generates an RSA keypair for your domain. You publish a single TXT record containing the public key. That's it — one record, done.
When Relay sends an email on your behalf, it signs the message with your private key. The receiving server verifies the signature against the TXT record you published. The result: your email is authenticated, trusted, and lands in the inbox.
Why this matters
- Simpler setup — one DNS record vs. three CNAMEs
- Faster verification — no CNAME chain resolution
- Full control — you own the signing key
- Better compatibility — some strict receivers don't like CNAME chains
Getting started
Sign up for Relay, add your domain, and choose BYODKIM. We'll show you the exact TXT record to publish and verify it automatically. Most domains are verified in under 60 seconds.
Check out our docs for the full setup guide.