What Is DKIM (DomainKeys Identified Mail)?
DKIM (DomainKeys Identified Mail) is an email authentication protocol that verifies whether a message was sent from an authorized mail server and whether its content has remained unchanged in transit. It works by attaching a digital signature to each outgoing email, allowing the receiving server to validate the message using a public key published in the sender’s DNS. This ensures both authenticity and integrity, protecting against spoofing and message tampering.
By cryptographically signing messages, DKIM helps mail providers and recipients confirm that emails truly come from the claimed domain. It is a foundational layer in email security, working alongside SPF and DMARC to prevent forged messages and maintain trust between senders and recipients.
DKIM uses a pair of cryptographic keys (one private and one public) to validate messages. The sending mail server uses the private key to generate a digital signature for specific parts of the message (typically the headers and body). This signature is added to the email in a header field called DKIM-Signature.
The receiving mail server retrieves the public key from a DNS record under a subdomain defined by the selector (specified in the d= and s= tags of the signature). Using this public key, it verifies that the message was indeed signed by the domain and that its content hasn’t been modified.
Example of a DKIM signature header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1; h=from:to:subject:date; bh=abc123...; b=def456...In this example:
d=example.com identifies the signing domain.s=selector1 identifies the specific public key in DNS.bh= represents the hash of the message body.b= contains the actual cryptographic signature.When the message is received, the system verifies the signature using the corresponding public key located at:
selector1._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD..."DKIM ensures that a message originates from the claimed domain and hasn’t been altered by intermediaries during delivery. This helps mail providers build sender reputation and trust, improving inbox placement and reducing false positives in spam filtering.
Key benefits of DKIM include:
Because DKIM signatures persist through forwarding (unlike SPF checks), they provide consistent validation across complex mail flows such as mailing lists, CRM systems, and third-party senders.
Implementing DKIM correctly involves careful key management and domain setup. Common best practices include:
selector._domainkey.example.comIncorrectly configured or expired DKIM keys can cause legitimate messages to fail authentication, resulting in delivery issues or reduced sender reputation. Routine audits help maintain consistent, trusted signing practices.
DMARCeye continuously analyzes DKIM authentication results across all your domains and subdomains. The platform identifies missing or invalid DKIM records, weak keys, and alignment failures that could affect DMARC compliance.
DMARCeye also visualizes which selectors are in use, how messages perform across different sending services, and where signature verification fails. By simplifying DKIM management and monitoring, DMARCeye helps organizations maintain secure, trusted email authentication that supports higher deliverability and stronger domain protection.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.