What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication protocol that adds a digital signature to every email you send. This signature lets the recipient’s mail server verify two things:- The email actually came from the claimed domain
- The email content wasn’t modified in transit
How DKIM works
DKIM uses public key cryptography. There are two keys:- Private key — kept secret on SendKit’s servers. Used to sign each email.
- Public key — published in your DNS as a TXT record. Used by recipients to verify the signature.
Signing
The hash is encrypted with your domain’s private key, and the encrypted hash (signature) is added to the email header.
Recipient receives the email
The recipient’s mail server looks up the public key in your DNS at
sendkit._domainkey.yourdomain.com.Verification
The server decrypts the signature using the public key and creates its own hash of the received email.
The DKIM signature header
When DKIM signs an email, it adds aDKIM-Signature header. Here’s what it looks like:
| Field | Meaning |
|---|---|
v | Version (always 1) |
a | Signing algorithm (rsa-sha256 is standard) |
c | Canonicalization — how the email is normalized before hashing |
d | The signing domain (your domain) |
s | The selector — identifies which key to look up in DNS |
h | The headers that were signed |
bh | Hash of the email body |
b | The actual signature |
DKIM with SendKit
When you add a domain in SendKit, we generate a unique DKIM key pair for your domain. You publish the public key as a DNS record:| Field | Value |
|---|---|
| Type | TXT |
| Name | sendkit._domainkey.yourdomain.com |
| Value | v=DKIM1; k=rsa; p=<your-public-key> |
| TTL | 3600 |
sendkit part is the selector. It tells receiving servers which public key to use when verifying the signature. A domain can have multiple selectors for different services.
The public key is unique to your domain and generated by SendKit. Always copy it from the domain detail page — don’t try to create your own.
Selectors
A selector is a label that points to a specific DKIM key. It’s part of the DNS record name:| Selector | Service |
|---|---|
sendkit._domainkey.acme.com | SendKit |
google._domainkey.acme.com | Google Workspace |
s1._domainkey.acme.com | Marketing tool |
Key rotation
DKIM keys should be rotated periodically to maintain security. If a private key is ever compromised, an attacker could sign emails that pass DKIM verification. Key rotation involves:- Generating a new key pair
- Publishing the new public key in DNS (with a new selector or same selector)
- Switching to the new private key for signing
- Removing the old public key after a transition period
SendKit handles key management for you. If key rotation is needed, we’ll notify you with instructions to update your DNS record.
Common DKIM issues
| Problem | Cause | Fix |
|---|---|---|
| DKIM none | No DKIM signature found | Ensure the email is being sent through SendKit (not directly) |
| DKIM fail | Signature doesn’t match | Check that the DNS record value matches exactly what SendKit provided. Some DNS providers add extra characters |
| DKIM permerror | Public key not found in DNS | Verify the TXT record exists at the correct name (sendkit._domainkey.yourdomain.com) |
| DKIM temperror | DNS timeout | Usually transient. Check your DNS provider’s status |
DNS record formatting issues
Some DNS providers have trouble with long TXT records. DKIM public keys are long strings, and some providers:- Truncate the value — make sure the full key is saved
- Add quotes incorrectly — the value should not include extra quotes beyond what your provider requires
- Split into multiple strings — some providers automatically split long TXT records. This is fine as long as the full value is preserved
FAQ
Does DKIM encrypt my emails?
Does DKIM encrypt my emails?
No. DKIM signs your emails — it proves authenticity and integrity. It does not encrypt the content. For encryption in transit, see TLS.
Can I use the same DKIM key for multiple domains?
Can I use the same DKIM key for multiple domains?
Technically yes, but it’s not recommended. Each domain should have its own key pair for better security and isolation. SendKit generates a unique key for each domain you add.
What happens if I change DNS providers?
What happens if I change DNS providers?
You need to re-add the DKIM TXT record at your new DNS provider. The record name and value stay the same — just copy them from the SendKit domain detail page.