/Guides/What is DKIM?
Getting Started

What is DKIM? Email Signature Authentication Explained

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails to prove they haven't been tampered with and truly come from your domain. Learn how DKIM works, why it's critical for email deliverability, and how to implement it.

DKIM in Simple Terms

DKIM is like a tamper-proof wax seal on your emails. It uses encryption to prove that an email actually came from your domain and wasn't modified during transit. If anyone changes even one character, the seal breaks.

Bottom Line: DKIM proves your emails are authentic and unchanged, improving deliverability and trust.

How DKIM Works: The Digital Signature Process

1

Email Signing (Sender Side)

When your mail server sends an email, it creates a unique signature by:

  • • Hashing key email headers (From, To, Subject, body)
  • • Encrypting the hash with your private DKIM key
  • • Adding the signature to the email header as "DKIM-Signature"

Private Key: Stored on your mail server (never shared)

2

Email Transmission

The email travels through the internet with the signature attached. If anyone modifies the email (changes subject, body, or From address), the signature becomes invalid.

Example DKIM Header:

DKIM-Signature: v=1; a=rsa-sha256; d=yourcompany.com; s=selector1; c=relaxed/relaxed; bh=abc123...; b=xyz789...
3

Signature Verification (Receiver Side)

When Gmail/Outlook receives the email, they:

  • • Look up your public DKIM key at selector1._domainkey.yourcompany.com
  • • Decrypt the signature using the public key
  • • Compare the decrypted hash to a new hash of the email
  • • If they match: ✓ DKIM pass (authentic email)
  • • If they don't match: ✗ DKIM fail (tampered or forged)

✓ Public Key: Published in DNS (visible to everyone)

Why DKIM is Critical for Email Deliverability

1. Higher Inbox Placement

Gmail and Outlook prioritize emails with valid DKIM signatures. Emails without DKIM are 3x more likely to land in spam. DKIM is a strong positive signal for deliverability.

✓ 15-20% improvement in inbox placement rates

2. Prevents Email Tampering

DKIM ensures no one can modify your email in transit. Attackers can't change the "From" address, add malicious links, or alter the message content without breaking the signature.

Protection against man-in-the-middle attacks

3. Required for DMARC

DMARC relies on DKIM (and SPF) to work. Without DKIM, you can't implement full DMARC protection at p=reject. DKIM also survives email forwarding better than SPF.

✓ Essential component of DMARC authentication

4. Builds Sender Reputation

Consistent DKIM signing builds your domain's reputation with email providers. Over time, this improves deliverability, engagement rates, and reduces spam complaints.

Long-term email marketing success depends on DKIM

Understanding DKIM Selectors

What is a Selector?

A selector is a label that identifies which DKIM key to use for verification. You can have multiple DKIM keys for different purposes (e.g., different mail servers, email service providers, or key rotation).

Example: Primary Mail Server

Selector: default
DNS Record: default._domainkey.yourcompany.com

Example: Salesforce Marketing Cloud

Selector: salesforce
DNS Record: salesforce._domainkey.yourcompany.com

Example: Google Workspace

Selector: google
DNS Record: google._domainkey.yourcompany.com
Pro Tip: Use Descriptive Selectors
Name your selectors based on the mail server or service (e.g., "mailchimp", "hubspot", "server1") to easily identify which system is sending which emails.

Common DKIM Failure Reasons

Missing or Incorrect DNS Record

The public key isn't published in DNS, or the selector/domain is wrong. Receiver can't find the key to verify the signature.

Solution:

Use DKIM Validator to verify your DNS record is published correctly

Email Modified in Transit

Mailing list servers or email forwarders changed the email content, breaking the signature. This is common with discussion groups or auto-forwarding rules.

Solution:

Use "relaxed" canonicalization (c=relaxed) to allow minor formatting changes

Expired or Rotated Keys

The private key used to sign the email doesn't match the public key in DNS anymore (key was rotated but DNS wasn't updated, or vice versa).

Solution:

When rotating keys, publish new public key in DNS BEFORE switching mail server to new private key

How to Set Up DKIM

Step 1: Generate DKIM Keys

Create a public/private key pair (2048-bit RSA recommended). Your email service provider or mail server usually provides this. See our Generating DKIM Keys guide

Step 2: Publish Public Key in DNS

Add a TXT record at selector._domainkey.yourdomain.com with the public key value. This allows receivers to verify your signatures

Step 3: Configure Mail Server Signing

Install the private key on your mail server and enable DKIM signing. The server will automatically sign all outgoing emails

Step 4: Test & Verify

Send test emails and verify DKIM passes using our DKIM Validator. Check email headers for "DKIM=pass"

Related Guides

What is DMARC?

Learn how DMARC uses DKIM for email protection

Generating DKIM Keys

Step-by-step guide to creating DKIM keys

DKIM Selector Strategy

Best practices for DKIM key rotation

Automated DKIM Setup in Minutes

TrustYourInbox automatically configures DKIM for all your email services. We generate keys, publish DNS records, and verify signing is working correctly. No manual configuration needed.

Free DKIM Tools

DKIM Validator

Check if your DKIM signature is valid

DKIM Inspector

Analyze DKIM records and troubleshoot issues

Domain Security Checker

Verify DKIM, SPF, and DMARC together

SPF Surveyor

Check SPF record (DKIM's companion protocol)

DMARC Analyzer

See how DMARC uses your DKIM signatures

DMARC Policy Generator

Generate DMARC policy that uses DKIM