DKIM (DomainKeys Identified Mail)

What is DKIM?

DKIM, or DomainKeys Identified Mail, is a DNS-based email authentication method that attaches a cryptographic signature to each outgoing message. Receiving servers fetch the sender's public key from DNS and use it to verify that the message was not tampered with in transit and was authorized by the domain owner.

Why it matters

Without DKIM, any server on the internet can forge mail claiming to be from your domain. Modern mailbox providers including Gmail and Yahoo now reject or quarantine unauthenticated bulk mail outright. DKIM is also a prerequisite for DMARC enforcement, so every team that runs a sending domain needs it configured correctly.

How it works

The sending server computes a hash of selected headers and the body, signs that hash with a private key, and adds a DKIM-Signature header to the message. The receiving server extracts the selector and domain from the signature, queries DNS for the public key, and verifies the signature. A DNS record looks like this:

selector1._domainkey.acme.io IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN..."

Multiple selectors let you rotate keys without downtime.

Examples

• A startup publishing a 2048-bit DKIM key at s1._domainkey.example.com before their first campaign
• A platform using one selector per environment so staging and production sign independently
• An ops team rotating from sk2024 to sk2025 selectors with overlapping publication windows

Best practices

• Use at least 2048-bit RSA keys; 1024 is considered weak
• Rotate keys at least once per year and keep the previous selector live during transition
• Sign the From, Subject, Date, and To headers at minimum
• Let Sendkit provision and rotate your DKIM keys automatically when possible

FAQs

What is a DKIM selector?

A selector is a label that lets you publish multiple DKIM keys for the same domain. It appears in the signature header and determines which DNS record the receiver looks up.

Does DKIM encrypt my email?

No. DKIM only signs the message to prove authenticity and integrity. The body remains readable to anyone who intercepts it unless TLS is also in use.

Why did my DKIM signature fail after setup?

Common causes include a mail gateway rewriting the body, line-ending changes, or a mismatched selector in DNS. Check the Authentication-Results header in the receiving server to see the exact failure reason.