What is DKIM? How Email Signatures Protect Your Domain

DKIM Digital Signatures

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to your outgoing emails. This signature proves that the email genuinely came from your domain and hasn't been tampered with during transit.

If SPF is like a list of authorized mail carriers, DKIM is like a tamper-proof seal on each package. Together with SPF and DMARC, DKIM forms the foundation of modern email security.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It's an email authentication protocol that uses public-key cryptography to verify:

  • The email was actually sent by the domain it claims to be from
  • The email content hasn't been modified since it was sent

When you send an email with DKIM enabled, your mail server creates a unique cryptographic signature based on the email's content. This signature is added to the email header. When the recipient's server receives the email, it retrieves your public key from DNS and uses it to verify the signature.

Why DKIM Matters

Proving Authenticity

Unlike regular mail, email has no inherent way to prove who sent it. Anyone can claim to be sending from any address. DKIM solves this by cryptographically signing emails in a way that only the legitimate domain owner can do.

Protecting Message Integrity

DKIM doesn't just prove who sent the email—it proves the email hasn't been changed. If an attacker intercepts and modifies an email (changing links, altering content), the DKIM signature becomes invalid.

Improving Deliverability

Email providers use DKIM as a trust signal:

  • Emails with valid DKIM signatures are more likely to reach the inbox
  • DKIM helps build positive sender reputation
  • Google and Yahoo require DKIM for bulk email senders

How DKIM Works

The Key Pair

DKIM uses asymmetric cryptography with two keys:

  • Private Key: Kept secret on your mail server. Used to create signatures.
  • Public Key: Published in your DNS records. Used by recipients to verify signatures.

The Signing Process

  1. You compose and send an email
  2. Your mail server calculates a hash of specific email headers and body content
  3. The server encrypts this hash using your private key, creating the DKIM signature
  4. The signature is added to the email's headers as DKIM-Signature
  5. The email is sent to the recipient

The Verification Process

  1. Recipient's mail server receives the email
  2. It extracts the DKIM signature and identifies the signing domain and selector
  3. It queries DNS for the public key at selector._domainkey.yourdomain.com
  4. Using the public key, it decrypts the signature to get the original hash
  5. It calculates its own hash of the email content
  6. If the hashes match, DKIM passes. If not, it fails.

DKIM Selectors Explained

A selector is a unique identifier that allows you to have multiple DKIM keys for the same domain. This is essential because:

  • Different services need different keys (your main server, marketing platform, CRM, etc.)
  • You can rotate keys without breaking email delivery
  • Each selector points to its own public key in DNS

How Selectors Work

The DKIM public key is stored at: [selector]._domainkey.[domain]

For example:

  • google._domainkey.yourdomain.com – Google Workspace's key
  • k1._domainkey.yourdomain.com – Mailchimp's key
  • selector1._domainkey.yourdomain.com – Microsoft 365's key

The selector name is included in the DKIM signature, so receiving servers know exactly which key to retrieve.

What a DKIM Record Looks Like

A DKIM DNS record is a TXT record containing your public key. Example:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Breaking this down:

  • v=DKIM1 – DKIM version (required)
  • k=rsa – Key type, usually RSA (optional, RSA is default)
  • p=... – The public key encoded in base64 (required)

DKIM Key Sizes

DKIM keys come in different sizes, measured in bits:

1024-bit Keys

  • The traditional standard
  • Still widely used and accepted
  • Fits in a single DNS TXT record without issues

2048-bit Keys

  • Recommended for stronger security
  • Required by some security-conscious organizations
  • May need to be split across multiple DNS strings (some DNS providers handle this automatically)

Recommendation: Use 2048-bit keys when your email service and DNS provider support them.

DKIM Limitations

While powerful, DKIM has some limitations:

Doesn't Verify the From Address

DKIM proves the email came from a domain that signed it—but doesn't ensure that domain matches the visible "From" address. An attacker could sign emails with their own domain while spoofing yours in the From field. This is why you need DMARC for alignment checking.

Can Break with Content Modification

Mailing lists, forwarding services, or security gateways that modify email content can invalidate DKIM signatures. This is addressed by ARC (Authenticated Received Chain) in some cases.

Requires Key Management

Private keys must be kept secure, and keys should be rotated periodically. Lost or compromised keys require updating DNS records.

Setting Up DKIM

The general process for setting up DKIM:

  1. Generate keys – Your email service usually does this for you
  2. Get the public key – Copy the TXT record provided by your email service
  3. Add DNS record – Create the TXT record at the correct selector subdomain
  4. Wait for propagation – DNS changes can take up to 48 hours
  5. Test – Send a test email and verify DKIM passes

Each email service has specific instructions. Common platforms include:

  • Google Workspace
  • Microsoft 365
  • Mailchimp
  • SendGrid
  • Amazon SES

Common DKIM Issues

Record Not Found

  • DNS record not published or wrong selector name
  • DNS hasn't propagated yet (wait 24-48 hours)
  • Typo in the subdomain name

Signature Verification Failed

  • Public key doesn't match private key
  • Email was modified in transit
  • Incorrect key format in DNS

Multiple Records Conflict

  • Two TXT records with the same selector name
  • Solution: Remove duplicates, ensure one record per selector

DKIM Best Practices

  • Use 2048-bit keys when possible for stronger security
  • Rotate keys periodically (annually or when staff with access leave)
  • Keep private keys secure – Never share or expose them
  • Use unique selectors for each email service
  • Monitor DKIM status through DMARC reports
  • Test after changes to ensure signatures are valid

DKIM and Other Protocols

DKIM works best as part of a complete authentication strategy:

  • SPF – Verifies the sending server is authorized
  • DKIM – Verifies message authenticity and integrity
  • DMARC – Ties them together with policy and alignment checking

For a complete overview, see our Email Authentication Complete Guide.

Summary

DKIM provides:

  • Authenticity – Cryptographic proof emails came from your domain
  • Integrity – Verification that content wasn't modified
  • Trust – Improved reputation with email providers
  • Compliance – Required by Google and Yahoo for bulk senders

Without DKIM, you're missing a critical layer of email authentication that receiving servers use to determine whether to trust your messages.

0 comments

Leave a comment

Please note, comments need to be approved before they are published.