DKIM (DomainKeys Identified Mail) is an email authentication protocol where the sending server signs outgoing messages with a private cryptographic key. The corresponding public key is published in DNS. Receiving servers retrieve the public key, verify the signature, and confirm the message wasn't modified in transit. DKIM proves both sender authorization and message integrity.
What Is DKIM in Email? (DomainKeys Identified Mail Explained)
DKIM in 30 Seconds
DKIM adds a digital signature to every email you send. The receiving server verifies this signature using a public key published in your DNS. If the signature checks out, the server knows the email is legitimately from your domain and wasn't tampered with in transit.
How DKIM Works
- You generate a public/private key pair
- The private key stays on your sending server (or ESP)
- The public key is published as a DNS TXT record
- When sending, the server signs the message headers and body with the private key
- The signature goes into the
DKIM-Signatureheader - The receiving server retrieves the public key from DNS and verifies the signature
The DKIM-Signature Header
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google;
h=from:to:subject:date:message-id;
bh=abc123bodyHash=; b=xyz789signature=
Key fields:
d=— the signing domains=— the selector (identifies which key)h=— headers included in the signaturebh=— hash of the message bodyb=— the actual signature
DKIM DNS Record
The public key lives at selector._domainkey.example.com:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...publicKeyHere
If this record is missing or wrong, DKIM fails with "key not found." See DKIM key not found troubleshooting.
Why DKIM Matters
Message integrity: DKIM proves the email wasn't modified after sending. If a middleman alters the body or signed headers, the signature breaks.
Survives forwarding: Unlike SPF, DKIM survives email forwarding because the signature travels with the message. This makes DKIM the more reliable authentication mechanism for DMARC alignment.
Reputation building: Mailbox providers track DKIM-signing domains over time. Consistent DKIM signing builds domain reputation.
Practitioner note: When clients migrate ESPs, DKIM is where things break most often. The new ESP generates a new key pair with a different selector, but nobody adds the new public key to DNS. Emails pass SPF (new IP is in SPF) but fail DKIM for weeks before anyone notices.
Practitioner note: Use 2048-bit keys minimum. Some legacy systems still generate 1024-bit keys, which are considered weak. If your DKIM key is 1024-bit, rotate to 2048-bit.
For setup instructions, read the DKIM setup guide. If DKIM is failing, check the DKIM verification troubleshooting guide.
Need DKIM configured across multiple sending services? Schedule a consultation — I'll set up and verify DKIM for every system sending email from your domain.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- Google: Turn on DKIM for your domain
- Microsoft: Use DKIM for email in your custom domain
- Dmarcian: DKIM Overview
v1.0 · April 2026
Frequently Asked Questions
How does DKIM work?
The sending server generates a cryptographic hash of specified email headers and body, signs it with a private key, and adds the signature to the DKIM-Signature header. The receiver looks up the public key in DNS using the selector and domain from the signature, then verifies the hash matches.
What is a DKIM selector?
A selector is a label that identifies which DKIM key pair to use. It's part of the DNS lookup: selector._domainkey.example.com. Different ESPs use different selectors (e.g., Google uses 'google', SendGrid uses 's1' or 's2'), allowing multiple DKIM keys for one domain.
What happens if DKIM fails?
A DKIM failure means the signature doesn't match — either the message was modified in transit, the DNS key is wrong or missing, or the signing configuration is broken. Failed DKIM hurts DMARC alignment and can cause spam placement or rejection.
Do I need both DKIM and SPF?
Yes. DMARC requires at least one to pass and align with the From: domain. SPF verifies the sending server, DKIM verifies the message content. Together they provide complete authentication. DKIM also survives email forwarding, which SPF doesn't.
How do I check if DKIM is set up correctly?
Send a test email and view full headers — look for 'dkim=pass' in the Authentication-Results header. Or query DNS directly: dig selector._domainkey.example.com TXT. The record should return your public key.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.