DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email using a private key. The receiving server verifies this signature using a public key published in your DNS. If the signature matches, the email is proven to be unaltered and from an authorized sender. DKIM is required by Gmail, Yahoo, and Microsoft for bulk senders. Without DKIM, your email lacks proof of integrity and DMARC alignment fails.
What Is DKIM? Complete Guide to DomainKeys Identified Mail
How DKIM Works
SENDING:
1. Your sending server has a private key
2. It creates a hash of the email headers + body
3. It signs the hash with the private key
4. The signature is added as a DKIM-Signature header
RECEIVING:
1. Receiving server reads the DKIM-Signature header
2. Extracts the selector (s=) and domain (d=)
3. Looks up public key at: selector._domainkey.domain.com
4. Verifies the signature against the email content
5. If valid → DKIM PASS. If not → DKIM FAIL.
The DKIM-Signature Header
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=google;
h=from:to:subject:date:message-id;
bh=BASE64_BODY_HASH;
b=BASE64_SIGNATURE
| Field | Meaning |
|---|---|
v=1 | DKIM version |
a=rsa-sha256 | Signing algorithm |
d= | The signing domain (must match From: for DMARC alignment) |
s= | Selector (used to look up the public key) |
h= | Headers included in the signature |
bh= | Hash of the email body |
b= | The actual signature |
Critical for DMARC: The d= value must match your From: domain. If d=sendgrid.net but From: is [email protected], DKIM passes for SendGrid but DMARC alignment fails. Configure custom DKIM signing so d=yourdomain.com.
Setting Up DKIM
Google Workspace
- Admin Console → Apps → Google Workspace → Gmail
- Authenticate Email → select domain
- Generate New Record (choose 2048-bit)
- Add the TXT record to DNS at
google._domainkey.yourdomain.com - Click Start Authentication
SendGrid
- Settings → Sender Authentication → Authenticate Domain
- Add CNAME records provided by SendGrid
- Verify in SendGrid dashboard
Mailgun
- Sending → Domain Settings → DNS records
- Add DKIM TXT record to DNS
- Verify in Mailgun
Klaviyo
- Settings → Domains → Add Sending Domain
- Add CNAME records for DKIM
- Verify in Klaviyo
DKIM Key Size
| Key Size | Status | Recommendation |
|---|---|---|
| 2048-bit | Standard, recommended | Use this |
| 1024-bit | Legacy, still accepted | Upgrade when possible |
| 4096-bit | Rare, DNS TXT length issues | Not needed for most |
Use 2048-bit. If your DNS provider has TXT record character limits, use CNAME records (which point to your ESP's hosted key) instead of inline TXT records.
DKIM and DMARC Alignment
For DMARC to pass via DKIM:
- The
d=domain in DKIM-Signature must match the From: header domain - Relaxed alignment: Organizational domain match (mail.yourdomain.com = yourdomain.com)
- Strict alignment: Exact domain match only
Most DMARC configurations use relaxed alignment (the default), which allows subdomain matching.
The common problem: Your ESP signs with THEIR domain (d=sendgrid.net) instead of yours. DKIM technically passes but DMARC alignment fails. Fix: configure custom domain DKIM signing in your ESP.
Common DKIM Failures
- Key not found. DNS record missing or hostname is wrong (check for underscore:
_domainkey). - Body hash mismatch. Email was modified in transit (mailing list footer, security gateway). ARC can help.
- Alignment failure. DKIM signs with ESP's domain, not yours. Configure custom signing.
- Key expired/rotated. Old key in DNS, new key in use. Update DNS record.
Full troubleshooting: DKIM verification failed guide.
Practitioner note: DKIM is more reliable than SPF for DMARC because it survives email forwarding. SPF breaks when email is forwarded (the forwarding server's IP isn't in your SPF). DKIM's signature stays intact through forwarding. This is why I prioritize DKIM configuration over SPF when setting up authentication.
Practitioner note: The most common DKIM issue: the ESP signs with their domain by default, not yours. Check the DKIM-Signature header — if
d=sendgrid.netinstead ofd=yourdomain.com, you need to configure custom domain signing. Every major ESP supports this. Most don't enable it by default.
For complete authentication: SPF + DKIM + DMARC guide.
If you need DKIM configured correctly, schedule a consultation.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM)
- MXToolbox: DKIM Lookup
- Google: Turn on DKIM
v1.0 · March 2026
Frequently Asked Questions
What does DKIM do?
DKIM cryptographically signs your outgoing email with a private key. The receiving server looks up the corresponding public key in your DNS (via the selector) and verifies the signature. This proves: 1) The email actually came from an authorized sender, 2) The message content wasn't altered in transit.
Is DKIM required?
Effectively yes. Gmail and Yahoo require DKIM for bulk senders (5,000+/day) since 2024. Microsoft requires it since May 2025. Even below those thresholds, DKIM significantly improves deliverability. There's no good reason to skip it.
What is a DKIM selector?
The selector identifies which DKIM key to use for verification. It appears in the DKIM-Signature header as 's=' (e.g., s=google, s=k1, s=smtp). The receiving server looks up [selector]._domainkey.yourdomain.com in DNS to find the public key. You can have multiple selectors for different sending services.
How do I set up DKIM?
Each ESP has its own process: 1) ESP generates a DKIM key pair, 2) You add a DNS record (TXT or CNAME) for the selector, 3) ESP signs outgoing messages with the private key. In Google Workspace: Admin Console → Apps → Gmail → Authenticate Email → Generate → add TXT record → Enable.
What's the difference between DKIM and SPF?
SPF authorizes which IPs CAN send for your domain (sender authorization). DKIM proves the message WASN'T altered and came from an authorized signer (message integrity). Both feed into DMARC. You need both.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.