DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server uses a public key published in your DNS to verify the message genuinely came from your domain and was not tampered with in transit.
DKIM complements SPF by signing messages with a private key held by your mail provider. Recipients fetch the matching public key from your DNS to confirm authenticity and integrity, which improves deliverability and helps DMARC pass.
Check your website
See how your site handles dkim: cryptographically signing your email — free, no account needed.
For business owners
DKIM is what lets mailbox providers trust that an email really is from you and has not been modified — a strong signal that keeps your mail out of spam and protects customers from tampered messages. Together with SPF it forms the foundation every serious sender needs before enforcing DMARC.
How it works (technical)
Your mail provider signs outgoing messages with a private key and adds a DKIM-Signature header. You publish the matching public key as a DNS TXT record at a selector:
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
The receiver reads the selector from the signature header, fetches the key, and verifies the hash of specified headers and the body. Rotate keys periodically and use at least a 2048-bit RSA key. Multiple selectors let you run several senders or rotate keys without downtime.
Real-world example
A SaaS product sent transactional email through a provider but never published the DKIM key it was given. Messages passed SPF but not DKIM, so DMARC alignment failed and password-reset emails intermittently hit spam. Publishing the provider's DKIM TXT record fixed alignment and deliverability stabilised.
Why it matters
DKIM proves message integrity and origin, and DMARC needs either SPF or DKIM to align. Scanners check that a DKIM record exists for your sending selectors and parses correctly.
How to fix it
Enable DKIM signing in your email/marketing provider to obtain a selector and public key.
Publish the provided public key as a
TXTrecord atselector._domainkey.yourdomain.Verify signing works by sending a test and inspecting the
DKIM-Signatureheader result.Use a 2048-bit key and rotate keys periodically using a new selector.
Repeat for every service that sends mail as your domain.
Best practices
Sign all outbound mail, including transactional messages.
Prefer 2048-bit keys and rotate them without downtime using multiple selectors.
Confirm DKIM aligns with your From domain so DMARC can pass on DKIM alone.
Common mistakes
Enabling DKIM at the provider but never publishing the DNS key.
Copying the key incorrectly (line breaks or truncation break the record).
Using weak 1024-bit keys and never rotating them.
Frequently asked questions
What is a DKIM selector?
A label that points to a specific public key in your DNS, letting you run multiple senders and rotate keys. It appears in the DKIM-Signature header as the s= tag.
Is SPF or DKIM better?
Neither replaces the other. SPF authorises servers; DKIM proves integrity and survives forwarding. Use both, then enforce with DMARC.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free