Email Security (DMARC+)

What is DKIM?

What is DKIM?

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication standard that adds a cryptographic signature to outgoing emails. The signature lets receiving servers verify that the email actually came from your domain and hasn't been altered in transit.

Where SPF checks who is sending (the mail server), DKIM checks what was sent (the message itself).

How DKIM works

  1. When you send an email, your mail server generates a digital signature using a private key. This signature is added to the email headers.

  2. You publish the corresponding public key in your domain's DNS as a TXT record:

    selector._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

  3. When a receiving server gets the email, it:

    • Looks up the public key in your DNS using the selector from the email header
    • Uses the public key to verify the signature
    • If the signature is valid, the email passes DKIM

  4. If the message was altered in transit (even a single character), the signature becomes invalid and DKIM fails.

DKIM and DMARC alignment

Like SPF, DKIM must not just pass — it must align with the From: header domain for DMARC to count it. The d= value in the DKIM signature must match (or be a subdomain of) the From: domain.

Alignment can be:

  • Strict — exact domain match required
  • Relaxed (default) — subdomain match is acceptable (e.g., mail.yourdomain.com aligns with yourdomain.com)

DKIM selectors

A selector is a label that allows multiple DKIM keys to coexist for the same domain. This is useful when different services send email for you — each service uses its own selector and key pair.

Example: google._domainkey.yourdomain.com and mailchimp._domainkey.yourdomain.com can both be valid DKIM records for the same domain simultaneously.

Setting up DKIM

DKIM setup is done on the sending side (your mail server or email service):

  1. Generate a key pair — most email services do this for you (Google Workspace, Microsoft 365, Mailchimp, etc.)
  2. Publish the public key — the service will give you a DNS TXT record to add to your domain
  3. Verify — use DMARC+ to confirm the DKIM record resolves correctly and emails are signing properly

Why emails fail DKIM

Cause Explanation
No DKIM set up for a sending service The service doesn't sign emails — add DKIM in its settings
DNS record not published You configured DKIM in the service but didn't add the DNS TXT record
Key rotation Old key is still in DNS but the service started using a new key
Email forwarding Some forwarders modify email content, breaking the signature
Alignment failure The d= domain in the signature doesn't match the From: header

DKIM key rotation best practice

Rotate DKIM keys annually (or after any suspected key compromise). To rotate safely:

  1. Generate a new key pair
  2. Publish the new public key in DNS alongside the old one (different selector)
  3. Update the service to start using the new private key
  4. After a few days (once all in-flight email has been verified), remove the old DNS record