What is DKIM? A Simple Guide to Email Authentication

Every day, billions of emails are sent across the internet. Unfortunately, many of them are fraudulent—phishing attempts, spam, and spoofed messages pretending to come from legitimate businesses. DKIM is one of the key technologies that helps solve this problem.

What DKIM Stands For

DKIM stands for DomainKeys Identified Mail. It's an email authentication method that lets receiving mail servers verify that an email actually came from the domain it claims to come from—and that it wasn't tampered with along the way.

Think of DKIM as a digital signature for your emails. When you send an email, your mail server adds a cryptographic signature to the message. When the recipient's mail server receives it, it can check that signature against a public key published in your domain's DNS records. If they match, the email is verified.

Why DKIM Matters for Email Deliverability

Without DKIM, email providers have no reliable way to verify that messages claiming to be from your domain are legitimate. This creates two problems:

Your legitimate emails may get flagged as spam. Gmail, Outlook, and other providers increasingly require authentication. Without DKIM, your marketing emails, transactional messages, and business communications are more likely to land in spam folders—or be rejected entirely.

Attackers can easily spoof your domain. Without DKIM, anyone can send emails that appear to come from your domain. This damages your reputation and can lead to phishing attacks against your customers, partners, and employees.

Starting in 2024, Google and Yahoo began requiring DKIM authentication for bulk email senders. If you send more than 5,000 emails per day to Gmail or Yahoo users, DKIM is no longer optional—it's mandatory.

How DKIM Differs from SPF

You might have heard of SPF (Sender Policy Framework), another email authentication method. While both help verify email authenticity, they work differently:

SPF checks whether the sending server's IP address is authorized to send email for your domain. It's like a guest list—if the sending server isn't on the list, the email fails SPF.

DKIM adds a cryptographic signature to the email itself. It proves that the email content hasn't been modified and that it was signed by someone with access to your domain's private key.

The key difference: SPF verifies the server, while DKIM verifies the message. This is why most email security setups use both—they complement each other.

You can check your SPF configuration at spfrecordcheck.com.

The Public and Private Key Concept

DKIM uses a pair of cryptographic keys:

Private key: Stored securely on your mail server. This key is used to sign outgoing emails. It should never be shared or exposed publicly.

Public key: Published in your domain's DNS as a TXT record. Anyone can look it up. Receiving servers use this key to verify signatures created by your private key.

When your mail server sends an email, it uses the private key to create a unique signature based on the email's content. The receiving server retrieves your public key from DNS and uses it to verify that signature. If verification succeeds, the email passes DKIM.

This is the same concept used in HTTPS, secure messaging apps, and other cryptographic systems. The beauty is that you can prove ownership without revealing your private key.

What a DKIM Record Looks Like

A DKIM record is a TXT record in your domain's DNS. Here's an example:

selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."

Let's break this down:

• selector: A name you choose to identify this specific key (like "google" or "mailchimp")
• _domainkey: A required part of the DKIM record name
• v=DKIM1: The DKIM version
• k=rsa: The key type (RSA is most common)
• p=: Your public key (the long string of characters)

The selector allows you to have multiple DKIM keys for different email services. For example, you might use "google" for Google Workspace emails and "mailchimp" for your marketing emails.

Setting Up DKIM

The exact setup process depends on your email provider, but the general steps are:

If you need to generate a new DKIM record, dkimcreator.com can help you create one.

DKIM and DMARC

DKIM works best when combined with DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC is a policy layer that tells receiving servers what to do when emails fail authentication.

With DMARC, you can instruct email providers to:

• Deliver emails that fail authentication anyway (monitoring mode)
• Quarantine failing emails (send to spam)
• Reject failing emails outright

DMARC also requires "alignment"—the domain in your DKIM signature must match the domain in the email's "From" address. This prevents attackers from using their own valid DKIM signature on spoofed emails.

Check your DMARC configuration at dmarcrecordchecker.com.

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.