DKIM (DomainKeys Identified Mail)

What Is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify two things: that the email was sent from the domain it claims to be from, and that the message has not been altered in transit. When you send an email with DKIM configured, your mail server attaches a digital signature to the message header. The receiving server checks this signature against a public key published in your domain's DNS — if they match, DKIM passes.

How DKIM Works Technically

Your mail server generates a hash of specific parts of the email (headers and body) using a private key that only you control. This hash is encoded and attached to the email as a DKIM-Signature header. When the receiving server gets the message, it looks up your domain's DKIM public key in DNS, uses it to decrypt the signature, independently hashes the same email components, and compares the results. A match means the message is authentic and unaltered. A mismatch means something went wrong — the message was modified in transit, or someone is forging your domain.

DKIM Selectors

DKIM uses a "selector" — a label that tells receiving servers which public key to use when checking the signature. This allows you to have multiple DKIM keys for different sending purposes (e.g., one for your marketing platform, one for your transactional email service, one for your main mail server). Each key is published as a TXT record at [selector]._domainkey.yourdomain.com. Using unique selectors per sending service is a best practice for security and management.

DKIM and DMARC

DKIM is one of the two authentication methods that DMARC builds on (the other being SPF). For DMARC to pass, at least one of SPF or DKIM must align with the domain in the "From" header. In practice, DKIM is often the more reliable DMARC signal — because it travels with the message and isn't affected by email forwarding the way SPF can be. Configuring DKIM properly is a prerequisite for an effective DMARC deployment.

Checking Your DKIM Configuration

Use EmailVerify.io's free DKIM Checker at emailverify.io/tools/dkim-checker to verify that your DKIM records are correctly configured for your domain and selectors. Common issues include missing public keys, incorrect selector configuration in your ESP settings, and keys that have been rotated without updating DNS. DKIM failures silently hurt deliverability — they're often invisible until you actively check.

DKIM Key Rotation

Security best practices recommend rotating DKIM keys periodically (every 6–12 months) to limit exposure if a private key is compromised. Key rotation involves generating a new key pair, publishing the new public key in DNS under a new selector, updating your mail server to sign with the new key, and eventually retiring the old selector. Most major ESPs handle DKIM key management automatically — but if you're running your own mail server, this is a manual process that needs to be on your maintenance calendar.

Why DKIM Matters for Deliverability

DKIM is now effectively required for reaching the inbox at major providers. Google and Yahoo's 2024 bulk sender requirements explicitly mandate DKIM authentication. Beyond compliance, DKIM-signed email is treated more favorably by spam filters because it provides cryptographic proof of authenticity — something no spammer can fake without access to your private key.