Skip to main content

DNS

DKIM: Cryptographically Signing Your Email

A digital signature that proves your messages were not altered.

Quick answer

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server uses a public key published in your DNS to verify the message genuinely came from your domain and was not tampered with in transit.

DKIM complements SPF by signing messages with a private key held by your mail provider. Recipients fetch the matching public key from your DNS to confirm authenticity and integrity, which improves deliverability and helps DMARC pass.

Check your website

See how your site handles dkim: cryptographically signing your email — free, no account needed.

For business owners

DKIM is what lets mailbox providers trust that an email really is from you and has not been modified — a strong signal that keeps your mail out of spam and protects customers from tampered messages. Together with SPF it forms the foundation every serious sender needs before enforcing DMARC.

How it works (technical)

Your mail provider signs outgoing messages with a private key and adds a DKIM-Signature header. You publish the matching public key as a DNS TXT record at a selector:

selector1._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

The receiver reads the selector from the signature header, fetches the key, and verifies the hash of specified headers and the body. Rotate keys periodically and use at least a 2048-bit RSA key. Multiple selectors let you run several senders or rotate keys without downtime.

Real-world example

A SaaS product sent transactional email through a provider but never published the DKIM key it was given. Messages passed SPF but not DKIM, so DMARC alignment failed and password-reset emails intermittently hit spam. Publishing the provider's DKIM TXT record fixed alignment and deliverability stabilised.

Why it matters

DKIM proves message integrity and origin, and DMARC needs either SPF or DKIM to align. Scanners check that a DKIM record exists for your sending selectors and parses correctly.

How to fix it

  1. Enable DKIM signing in your email/marketing provider to obtain a selector and public key.

  2. Publish the provided public key as a TXT record at selector._domainkey.yourdomain.

  3. Verify signing works by sending a test and inspecting the DKIM-Signature header result.

  4. Use a 2048-bit key and rotate keys periodically using a new selector.

  5. Repeat for every service that sends mail as your domain.

Best practices

  • Sign all outbound mail, including transactional messages.

  • Prefer 2048-bit keys and rotate them without downtime using multiple selectors.

  • Confirm DKIM aligns with your From domain so DMARC can pass on DKIM alone.

Common mistakes

  • Enabling DKIM at the provider but never publishing the DNS key.

  • Copying the key incorrectly (line breaks or truncation break the record).

  • Using weak 1024-bit keys and never rotating them.

Frequently asked questions

What is a DKIM selector?

A label that points to a specific public key in your DNS, letting you run multiple senders and rotate keys. It appears in the DKIM-Signature header as the s= tag.

Is SPF or DKIM better?

Neither replaces the other. SPF authorises servers; DKIM proves integrity and survives forwarding. Use both, then enforce with DMARC.

Put this into practice

See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.

Scan your website free

See Pro plans · Create account