DKIM (DKIM)

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows a sender to “sign” an email with a digital signature. This signature provides cryptographic proof that the email was indeed sent from your domain and that its content was not modified in transit.

TL;DR

• What it is: A digital “watermark” for your emails that proves authenticity.
• Verification: Receiving servers check the signature against a public key in your DNS.
• Integrity: Ensures the body and headers of the email weren’t altered in transit.
• Deliverability: Critical for building domain reputation and passing DMARC alignment.
• Selector: A unique identifier that allows you to have multiple DKIM keys for different services.

What DKIM is (simple explanation)

Imagine you are sending a sealed letter through the mail. SPF is like the return address on the envelope (verifying where it came from). DKIM is like a wax seal on the letter itself. If the seal is unbroken when it arrives, the recipient knows the letter is authentic and hasn’t been tampered with.

What DKIM actually verifies

Unlike SPF, which only checks the sender’s IP address, DKIM verifies the message content itself. It takes parts of the email (like the “From” address, the subject line, and the body) and runs them through a function to create a unique “hash.” This hash is then signed with your private key and attached to the email.

How DKIM works

DKIM relies on public/private keys:

1. The Signature: Your email server uses a private key to sign outgoing emails.
2. The Record: You publish the corresponding public key in DNS as a TXT record.
3. The Check: Gmail/Outlook fetch the public key and verify the signature. If it matches, the email is authenticated.

DKIM signatures explained

A DKIM signature appears in headers as DKIM-Signature. Common tags:

• v=1: Version
• a=rsa-sha256: Algorithm
• d=gtmvector.net: Signing domain
• s=selector1: Selector (key ID)
• bh=...: Body hash
• b=...: Signature

How DKIM affects email deliverability

DKIM is a primary trust signal for mailbox providers. Passing DKIM helps:

• Inbox placement: Your mail looks like it’s coming from a legitimate sender.
• DMARC alignment: DMARC passes if SPF or DKIM aligns with the visible From domain. DKIM is often more reliable because it survives forwarding better than SPF.

Related reading: Domain warmup won’t save bad outbound

Common DKIM mistakes that cause failures

1. Mismatched keys: Private key doesn’t match the public key in DNS.
2. Wrong selector: Server signs with s=selectorA but DNS has selectorB.
3. Truncated DNS record: Some providers split long DKIM keys; bad formatting breaks validation.
4. Body modifications: Forwarders or tools that add footers can break DKIM because the signed content changes.

How to check if DKIM is set up correctly

• Send a test email to a Gmail inbox or Mail-Tester.
• In Gmail, open Show original and look for DKIM: PASS.
• Use DNS checkers (MXToolbox etc.) to confirm your selector record exists.

DKIM pass vs fail

• Pass: Providers are confident the email is authentic and unchanged.
• Fail: Providers treat the email as suspicious. With strict DMARC (p=reject) it may bounce; otherwise it often lands in spam.

DKIM vs SPF

DKIM vs SPF vs DMARC

FAQ

Does DKIM encrypt my emails?
No. DKIM signs emails, it doesn’t encrypt them.

What is a DKIM selector?
A selector lets you have multiple DKIM keys (one per sending tool) under the same domain.

Can I have multiple DKIM records?
Yes, as long as each uses a different selector.

Will DKIM stop spam placement?
No. DKIM proves identity. If your list or copy is bad, you can still hit spam.

Related terms

• SPF
• DMARC
• Inbox placement