What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to every email you send. The receiving server uses a public key published in your DNS to verify the signature — proving the email genuinely came from your domain and wasn’t altered in transit.

In simple terms: DKIM is like a wax seal on a letter. It proves who sent it and that nobody tampered with it along the way.

How DKIM Works

DKIM uses public-key cryptography to sign outgoing emails, so the recipient can verify they haven’t been tampered with. Here’s the process:

1
Your mail server signs the email with a private key

When your server sends an email, it creates a cryptographic signature of the message headers and body using a private key that only your server has. This signature is added as a DKIM-Signature header in the email.

2
The email arrives at the recipient’s server with the signature attached

The DKIM-Signature header includes the signing domain (d=example.com) and a selector (s=sel1) that tells the recipient where to find the public key.

3
The recipient looks up the public key in DNS

The receiving server queries sel1._domainkey.example.com in DNS to retrieve the corresponding public key. This key was published by the domain owner when DKIM was set up.

4
If the signature matches → DKIM passes

The recipient uses the public key to verify the signature. If it matches, the email is confirmed as genuinely from the domain and hasn’t been modified in transit. DKIM passes.

5
If the signature doesn’t match → DKIM fails

If the email was altered after sending (e.g. by an attacker modifying the content), the signature won’t match the public key. DKIM fails, signalling the message may have been tampered with.

DKIM Check — Visual Overview

1. Sending Server Signs email with 🔐 Private Key

2. Email Sent Includes DKIM header: DKIM-Signature: v=1; d=example.com; s=sel1;

3. Receiver Sees d=example.com and s=sel1

DNS lookup

4. DNS: sel1._domainkey.example.com Returns 🔓 Public Key

5. Verify Signature Public key decrypts signature ✓

✅ DKIM Pass

❌ DKIM Fail (tampered)

DKIM Keys and Selectors

DKIM uses a public/private key pair:

  • The private key stays on your mail server and is used to sign outgoing emails
  • The public key is published in your DNS so receivers can verify the signature

The public key lives at a DNS address determined by the selector:

selector._domainkey.yourdomain.com

For example, if your selector is google and your domain is example.com, the DKIM key is at:

google._domainkey.example.com

Why selectors?

Selectors allow you to have multiple DKIM keys for the same domain. This is useful for:

  • Different services — Google Workspace uses one selector, SendGrid uses another
  • Key rotation — publish a new key with a new selector before retiring the old one
  • Different signing algorithms — run RSA and Ed25519 keys side by side

Anatomy of a DKIM Signature

When your server sends an email with DKIM, it adds a header like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=google;
  h=from:to:subject:date:message-id;
  bh=abc123...=;
  b=XYZ789...=
Tag Meaning
v=1 DKIM version
a=rsa-sha256 Signing algorithm
c=relaxed/relaxed Canonicalization (how whitespace/case is handled before signing)
d=example.com Signing domain (used for DMARC alignment)
s=google Selector (where to find the public key in DNS)
h=from:to:... Headers included in the signature
bh=... Hash of the email body
b=... The actual signature (encrypted hash)

Setting Up DKIM

Unlike SPF (which you write yourself), DKIM keys are usually generated by your email provider:

Provider Where to enable DKIM Selector
Google Workspace Admin Console → Apps → Gmail → Authenticate email google
Microsoft 365 Defender → Email authentication → DKIM selector1, selector2
SendGrid Settings → Sender Authentication → Domain s1, s2
Mailchimp Settings → Domains → Authenticate k1
Amazon SES Identities → Domain → DKIM (Easy DKIM) Auto-generated CNAME
cPanel Email → Authentication (DKIM) default

The general process is:

  1. Your email provider generates the DKIM key pair
  2. They give you a DNS record to publish (TXT or CNAME)
  3. You add that record to your DNS
  4. The provider starts signing outgoing emails

DKIM and DMARC

DKIM is essential for DMARC because:

Survives forwarding
Unlike SPF, DKIM signatures travel with the email — they still work even when messages are forwarded
DMARC alignment
DMARC checks that the d= domain in the DKIM signature matches the From: domain — proving the sender is legitimate
Integrity check
DKIM proves the email body and signed headers weren’t modified after sending — something SPF can’t do
💡 Best practice: Always set up both SPF and DKIM. SPF tells receivers which servers can send for you. DKIM proves the email is authentic and unmodified. DMARC ties them together with alignment and policy enforcement.

Common DKIM Issues

  • Key not published — DKIM was enabled on the provider but the DNS record wasn’t added
  • Key too long — 2048-bit RSA keys can exceed DNS TXT record limits; some providers split into multiple strings
  • Body modified in transit — mailing lists, security gateways, or disclaimers appended to emails can break DKIM signatures
  • Wrong selector — looking up the wrong selector name in DNS
  • Key rotation forgotten — old keys should be revoked when new ones are deployed

Set up DMARC to protect your domain

DKIM + SPF + DMARC = complete email authentication. Get started in 5 minutes.

Generate Your DMARC Record →

Related Topics

What is SPF? →
Sender Policy Framework explained


What is DMARC? →
Ties SPF + DKIM together


SPF vs DKIM vs DMARC →
Comparison and how they work together