What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sender to digitally sign outgoing emails, enabling the recipient's mail server to verify the message came from an authorized sender and wasn't altered in transit. Unlike SPF, which validates the sending server, DKIM validates the message itself.
How DKIM Works
Sending Process
- The sending server creates a hash of the email content
- The hash is encrypted using a private key stored on the sending server
- The encrypted signature is added to the email as a
DKIM-Signatureheader - The email is sent to the recipient
Receiving Process
- The receiving server extracts the DKIM signature from the email header
- It looks up the public key in the sender's DNS records
- It decrypts the signature using the public key
- It compares the decrypted hash to a fresh hash of the received email
- If they match, DKIM passes — proving the message is authentic and unmodified
DKIM Record Format
A DKIM public key is published as a DNS TXT record at a specific location:
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGS..."
Record Components
| Component | Meaning |
|---|---|
v=DKIM1 |
DKIM version |
k=rsa |
Key type (usually RSA) |
p= |
Public key (base64 encoded) |
t=s |
Strict mode (optional) |
t=y |
Testing mode (optional) |
Understanding DKIM Selectors
A selector is a name that identifies a specific DKIM key. Selectors allow:
- Multiple keys per domain — Different keys for different sending services
- Key rotation — Rotate keys without disruption by using new selectors
- Testing — Test new keys alongside production keys
Common selector patterns used by popular services:
google(Google Workspace)selector1,selector2(Microsoft 365)s1,s2(SendGrid)- Date-based like
202601(monthly rotation)
DKIM Authentication Results
DKIM verification can return:
- Pass — Valid signature verified successfully
- Fail — Signature verification failed
- None — No DKIM signature present
- Neutral — Signature present but not verifiable
- TempError — Temporary failure (DNS timeout)
- PermError — Permanent error (invalid record)
DKIM Alignment with DMARC
For DMARC purposes, DKIM must also be "aligned":
- The domain in the DKIM signature (
d=tag) must match the "From" header domain - Strict alignment — Exact match required
- Relaxed alignment — Subdomain matches allowed (default)
Why DKIM Matters for Email Security
DKIM provides benefits that SPF cannot:
- Survives forwarding — Unlike SPF, DKIM signatures remain valid when emails are forwarded
- Content integrity — Cryptographically proves the email wasn't modified in transit
- Sender verification — Proves the email was sent by an authorized party
- Reputation building — Consistent DKIM signing builds sender reputation with email providers
Common DKIM Issues
Missing DKIM Signatures
Some sending services don't sign emails with DKIM by default. You must enable DKIM signing in your email service settings and publish the corresponding DNS record.
Signature Mismatch
The email was modified after signing — common with mailing lists, security gateways, or systems that append disclaimers. Consider using ARC (Authenticated Received Chain) for forwarded mail.
Key Size Too Small
Old 512-bit keys are now rejected by many receivers. Use 2048-bit RSA keys for new implementations.
DKIM Best Practices
- Enable DKIM — Configure all sending services to sign emails with DKIM
- Use strong keys — 2048-bit RSA keys are recommended
- Rotate keys periodically — Change keys on a regular schedule for security
- Monitor results — Use DMARC reports to track DKIM pass/fail rates
- Keep keys secure — Protect private keys from unauthorized access
Next Steps
- Learn about SPF, the other authentication mechanism DMARC uses
- Understand DMARC policies and enforcement levels
- Troubleshoot issues with our DKIM Failures guide
- Verify your DKIM records with our free DKIM Checker