What is DKIM?
DomainKeys Identified Mail (DKIM) is a method of email authentication that helps prevent spammers and other malicious parties from impersonating a legitimate domain.
Every email address has a domain (the part after the "@"). Attackers often try to impersonate these domains to carry out phishing attacks. DKIM, alongside SPF and DMARC, makes it significantly harder for attackers to succeed. Emails that fail these checks are typically marked as spam or rejected entirely.
How Does DKIM Work?
DKIM relies on two main components: a DKIM record stored in the DNS and a DKIM header attached to every outgoing email.
Public Key Cryptography
DKIM uses a digital signature scheme based on a pair of cryptographic keys:
- Private Key: Used by the sender's email provider to "sign" the message.
- Public Key: Stored by the domain owner in a public DNS record.
When an email is received, the recipient's server retrieves the public key from the DNS to verify the digital signature. If the signature matches the content, the email is authenticated.
The Tamper-Proof Seal: DKIM also ensures integrity. If the email body or headers are altered in transit, the digital signature will fail verification—much like a broken seal on a medicine container.
What is a DKIM Record?
A DKIM record is a DNS TXT ("text") record that stores the public key. While some domains use CNAMEs to point to a key, the official RFC requirement is a TXT record.
Example of a DKIM DNS TXT Record:
| Name | Type | Content (Value) | TTL |
|---|---|---|---|
| big-email._domainkey.example.com | TXT | v=DKIM1; p=76E629F05F70... | 3600 |
Breakdown of the Record Name:
DKIM records use a specialized format: [selector]._domainkey.[domain]
- Selector: A unique value issued by your email provider (e.g.,
big-email). It allows you to have multiple DKIM keys for different services. - ._domainkey.: A mandatory part of every DKIM record name.
- Domain: Your actual email domain (e.g.,
example.com).
The DKIM Header and Signature
The digital signature is attached to the email as part of the DKIM header. While usually hidden, you can see it in the "original" or "source" view of an email.
Example Header Breakdown:
v=1; a=rsa-sha256; d=example.com; s=big-email; h=from:to:subject; bh=uMixy0Bs...; b=LiIvJeRy...
v=: The version of DKIM.d=: The sender's domain name.s=: The selector used for the DNS lookup.h=: The list of header fields used to create the signature (From, To, Subject).bh=: The Body Hash. A mathematical "snapshot" of the email content.a=: The algorithm used (e.g., RSA-SHA-256).b=: The actual Digital Signature, generated from the headers and body hash using the private key.
DKIM, SPF, and DMARC
DKIM does not work in isolation. It is part of a 2026 standard security triad:
- SPF: Checks if the sending server's IP is authorized.
- DKIM: Checks the cryptographic signature of the message.
- DMARC: Instructs the receiving server what to do (reject/quarantine) if SPF or DKIM fail.
Together, these protocols ensure your professional brand remains protected and your emails reach the intended inbox.
Optimize Your Email Security
In the competitive landscape of 2026, failing a DKIM check can result in your business proposals landing in the spam folder. If you are using a Reliable Email Provider, ensuring your DKIM selectors are correctly updated in your DNS is a high-priority task.
Would you like me to help you verify your current DKIM record or generate a new selector for a third-party service like Mailchimp or G-Suite?