Email Authentication7 min read

What Is DKIM? DomainKeys Identified Mail Explained

DKIM adds a cryptographic signature to every outgoing email, letting receiving servers verify the message came from your domain and has not been altered in transit. Here is how it works and why it matters.

DKIM (DomainKeys Identified Mail) is an email authentication method that attaches a cryptographic digital signature to outgoing messages. Receiving mail servers use a public key published in your DNS to verify that the signature is valid — confirming the message genuinely came from your domain and was not altered in transit. DKIM is a foundational component of modern email security, working alongside SPF and DMARC to protect your domain from spoofing and improve deliverability.

What Problem Does DKIM Solve?

Traditional email (SMTP) has no built-in mechanism to verify that a message arrived intact and was sent by who it claims to be from. An attacker positioned between sender and recipient — or a compromised relay server — could modify a message body, alter headers, or forge the sender address entirely without any detection.

DKIM solves this by generating a cryptographic hash of the message content and key headers, then signing that hash with a private key. The corresponding public key is published in DNS. Any server receiving the message can fetch the public key and verify the signature without any prior communication with the sending domain.

How Cryptographic Signing Works in DKIM

DKIM uses asymmetric cryptography — specifically RSA or Ed25519 key pairs:

  • The private key is kept secret on your sending mail server or email service provider. It is used to create the signature for every outgoing message.
  • The public key is published in a DNS TXT record. It is freely available to any receiving server that wants to verify the signature.

Because only the holder of the private key can produce a valid signature, and the public key in DNS can verify it, a successful DKIM check proves two things: the message came from a server with access to the private key, and the signed portions of the message were not altered after signing.

DKIM Survives Email ForwardingUnlike SPF, which breaks when email is forwarded (because the forwarding server's IP is not in the original domain's SPF record), DKIM signatures travel with the message. As long as the signed headers and body are not modified, the signature remains valid regardless of how many servers the message passes through.

What Is a DKIM Selector?

A selector is a label that allows a domain to publish multiple DKIM public keys in DNS simultaneously. Each sending service or key rotation has its own selector. The selector is included in the DKIM signature header so receiving servers know which DNS record to look up.

The DNS record for a DKIM public key is published at:

Command
selector._domainkey.example.com

For example, if Google Workspace uses the selector google, the public key is at google._domainkey.example.com. A transactional email service might use a different selector, such as mg or s1.

What Does a DKIM DNS Record Look Like?

A DKIM record is a TXT record published at selector._domainkey.yourdomain.com. Here is a typical example:

Command
selector._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

The key fields are:

  • v=DKIM1 — version tag. Always DKIM1.
  • k=rsa — the key algorithm. RSA is most common; Ed25519 is also supported.
  • p= — the Base64-encoded public key. This is the value receiving servers use to verify signatures.
Use 2048-bit RSA KeysThe minimum recommended RSA key size for DKIM is 2048 bits. Older 1024-bit keys are considered weak by modern standards and may be rejected by strict receiving servers. If your provider still uses 1024-bit keys, request an upgrade or rotate to a new key.

DKIM Signature in Email Headers

When your mail server sends a message, it adds a DKIM-Signature header. This header contains the signature itself and the metadata needed to verify it:

text
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector; h=from:to:subject:date:message-id; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=abc123...base64signature...

Key fields in the signature header:

  • d= — the signing domain (must align with the From header for DMARC).
  • s= — the selector used to locate the public key in DNS.
  • h= — the list of headers that were signed.
  • bh= — the Base64 hash of the canonicalised message body.
  • b= — the Base64-encoded cryptographic signature itself.

Why DKIM Improves Email Deliverability

Receiving mail services — including Gmail, Outlook, and Yahoo — use DKIM as one of the key signals in their spam filtering and reputation systems. A valid DKIM signature tells the receiving service that your domain consistently signs its messages, which builds sender reputation over time.

Unsigned messages, or messages with broken DKIM signatures, are treated with greater suspicion. Combined with DMARC reporting, DKIM also gives you visibility into whether any service is sending unsigned email on behalf of your domain — a sign of misconfiguration or abuse.

DKIM and Message Tampering

If any part of the message covered by the DKIM signature is altered after the message is signed — whether by a malicious relay, a mailing list that appends a footer, or a content-filtering proxy — the signature becomes invalid. The receiving server will detect the mismatch between the signed hash and the actual message content and return a DKIM failure.

This is both a strength and a practical challenge. Mailing lists that modify the message body or subject line will break DKIM signatures, which is why the interaction between DKIM and forwarding via mailing lists requires careful DMARC policy design.

How to Check Your DKIM Record

Use the TXT Record Lookup tool and query selector._domainkey.yourdomain.com (replacing selector with your actual selector value). The tool will return your public key record so you can confirm it is published correctly. For a broader authentication check, the Security Headers Scanner covers multiple email and web security settings in one view.

Frequently Asked Questions

Does DKIM replace SPF?

No. DKIM and SPF solve different problems. SPF verifies that the sending IP is authorised by the domain owner. DKIM verifies that the message content and key headers were not altered and that the signing domain authorised the message. DMARC uses both to enforce authentication policy. All three should be deployed together.

What happens if a DKIM signature fails verification?

A DKIM failure alone does not cause message rejection. The receiving server records the failure in the Authentication-Results header and passes the result to the spam filtering engine. Without a DMARC policy of p=quarantine or p=reject, a DKIM failure typically results in higher spam scores rather than outright rejection.

Can I have multiple DKIM keys for the same domain?

Yes, and this is the recommended approach. Each sending service (Google Workspace, your transactional email provider, your CRM) should have its own selector and key pair. This allows you to revoke a specific service's key without affecting others, and gives you granular visibility in DMARC reports.

What is DKIM key rotation and why does it matter?

Key rotation means replacing your DKIM private/public key pair periodically. It limits the window of exposure if a private key is ever compromised. Best practice is to rotate DKIM keys at least annually. To rotate safely, publish the new public key in DNS before switching to the new private key on your mail server, then remove the old DNS record after a propagation delay.

How do I find my DKIM selector?

The selector is included in every outgoing message in the DKIM-Signature header as thes= field. You can inspect a raw email message in your email client (usually via "Show original" or "View source") to find the selector your sending service is using. Common selectors include google, k1, s1, and default.

Related Articles