What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method defined in RFC 6376. It uses asymmetric cryptography — a private key signs outgoing messages on your mail server, and a public key published in DNS allows any receiving server to verify that signature. If the message was tampered with after signing, the signature breaks.
Unlike SPF, DKIM authenticates the message content itself (headers and/or body), not just the sending IP. This makes it resilient to email forwarding scenarios where the sender's IP changes.
Why do you need DKIM?
1Message integrity
Proves the email body and headers have not been modified since it left your server
2Survives forwarding
Signature is embedded in the email, not tied to the sending IP — stays valid through relays
3Required for DMARC
DMARC can use DKIM alignment as the basis for pass/fail decisions
4Deliverability boost
Gmail, Outlook, and others heavily reward DKIM-signed mail in filtering decisions
How DKIM works — step by step
You generate a public/private key pair and configure your mail server to use the private key.
You publish the public key as a DNS TXT record at `selector._domainkey.yourdomain.com`.
When you send an email, the mail server hashes selected headers and the body, then signs that hash with the private key.
The signature is added as a `DKIM-Signature` header on the email.
The receiving server reads the `DKIM-Signature`, fetches the public key from DNS, decrypts the signature, and re-hashes the message to compare.
A match means the message is authentic and unaltered. A mismatch indicates tampering or a misconfiguration.
DKIM DNS record (public key)
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC...AQABKey fields
v=DKIM1— version identifierk=rsa— key type (rsa or ed25519)p=— base64-encoded public keyh=— acceptable hash algorithms (sha256)s=— service type (email or *)t=s— strict mode flagDKIM-Signature header (in the email)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yourdomain.com; s=mail2024;
h=from:to:subject:date:message-id;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=mY93xZ...Signature field meanings
Common DKIM problems
Body modification
Some mailing lists or virus scanners alter the body, breaking the bh= body hash
Missing DNS record
Verify your TXT record is published and propagated before sending
Wrong selector
The s= in the signature must match the selector in the DNS record name
Key length too short
Use at least 2048-bit RSA keys. 1024-bit keys are considered insecure and rejected by some providers
Frequently Asked Questions
DKIM (DomainKeys Identified Mail) is a cryptographic authentication method that adds a digital signature to your emails. This signature allows receiving servers to verify that the email was indeed authorized by the domain owner and, more importantly, that the message content hasn't been tampered with or altered during transit between servers.
A DKIM selector is a unique string used to locate the specific public key in your DNS records. It allows a single domain to have multiple DKIM keys for different services (e.g., marketing, support). You can usually find the selector in your email service provider's (ESP) authentication settings or by inspecting the headers of a sent email for the 's=' tag.
A missing DKIM record usually points to one of three issues: the selector name is incorrect, the record hasn't finished propagating through global DNS, or the TXT record was added to the wrong domain level. Always double-check the selector provided by your ESP and ensure there are no extra spaces or hidden characters in your DNS entry.
Yes, you can and should have multiple DKIM records if you use multiple email services. Each service will use a unique selector (e.g., google._domainkey, mandrill._domainkey), allowing them to exist simultaneously in your DNS without conflict. This is a best practice for maintaining security across different platforms.
The selector is the prefix in your DKIM DNS record (selector._domainkey.yourdomain.com). Google Workspace typically uses google, Microsoft 365 uses selector1 and selector2, and SendGrid uses s1 and s2. You can also read the DKIM-Signature header of a sent email and look at the s= tag to find it.
It means the checker couldn't find a valid key at the selector you queried, usually because the record wasn't published, the selector is wrong, or DNS hasn't propagated yet. Confirm the exact selector from your email provider, re-publish the TXT or CNAME record in DNS, and recheck after propagation.