Nice to meet you.

Enter your email to receive our weekly G2 Tea newsletter with the hottest marketing news, trends, and expert opinions.

What Is DKIM and How Can It Boost Your Email Security?

August 18, 2023


Have you ever received an email from a trusted source that turned out to be a malicious phishing scam?

It's like getting a letter that looks like it's from your bank, but it's a clever forgery trying to dupe you into giving up your personal information. That's where DomainKeys Identified Mail (DKIM) comes in.

Like a holographic seal on a credit card or a watermark on currency, DKIM is an email authentication protocol that verifies the sender's legitimacy and ensures the message has not been tampered with.

Securing your email communication with the help of Domain-Based Message Authentication, Reporting, and Conformance (DMARC) software helps block suspicious email activity and increase security.
DMARC software helps authenticate emails against DKIM and sender-policy framework (SPF) standards.

This process helps ensure the email's authenticity and integrity, as the signature proves that the email has not been tampered with during transit and originates from an IP address associated with the claimed sender.

DKIM is an essential part of modern email infrastructure. When coupled with other authentication methods like SPF and DMARC, it helps ensure a safer and more trustworthy email experience.

Why is DKIM important?

DKIM is an important email authentication method that provides multiple benefits related to email security to its end users. 

  • Email authenticity: DKIM uses cryptographic signatures to validate the sender's domain, enabling the recipient's email system to verify the sender's identity and trust the email content. This helps prevent unauthorized parties from forging emails and sending them on behalf of a domain.
  • Email integrity: The DKIM mechanism ensures that emails are not tampered with while in transit by signing selected parts of the email. The recipient's email system is then able to verify that the content of the signed portions has not been changed since it left the sender's system. This helps maintain the reliability of email communication.
  • Email deliverability: By authenticating emails and proving their integrity, DKIM helps email recipients differentiate legitimate emails from spam and phishing emails. This can lead to better mailbox filtering algorithms and improved deliverability for legitimate senders. Emails with valid DKIM signatures are more likely to make it to recipients' inboxes rather than being marked as spam or rejected.
  • Reduced spam and phishing attacks: Implementing DKIM as part of an email security strategy can help recipients identify and block malicious emails more effectively, reducing the success rate of spam and phishing attacks.
  • Works in conjunction with SPF and DMARC: DKIM can be used alongside other email authentication standards, such as SPF records and DMARC, to create a comprehensive email security ecosystem. This further strengthens the sender's domain reputation and email deliverability.

In summary, DKIM is crucial because it helps ensure email authenticity and integrity while improving deliverability for legitimate senders and reducing the effectiveness of spam and phishing attacks.

How DKIM works

DKIM uses cryptographic digital signatures to authenticate the sender's domain and ensure email integrity. A cryptographic digital signature is used to verify data authenticity. It works by signing outgoing email messages with a digital signature verified by the recipient's email server. Additionally, DKIM validates that the message has yet to be modified in transit.

Here's a step-by-step overview of how DKIM works:

  1. The sender's email system (Mail Transfer Agent) generates a unique DKIM signature for each outgoing email. This is done by:
    • Selecting the email headers and body to be signed. 
    • Hashing the selected parts using a cryptographic hash function. 
    • Encrypting the hash using the sender's domain-specific private key.
  2. The generated DKIM signature is added to the email header, and the email is sent to the recipient.
  3. When the recipient's email system receives the email, it checks for the DKIM signature in the email header.
  4. If the DKIM signature is present, the recipient's email system decrypts it using the sender's public key (obtained from the sender's DNS records).
  5. The recipient's email system then rehashes the selected parts and compares the new hash with the one extracted from the DKIM signature.
  6. If the hashes match, it means the email has not been tampered with and originated from the sender's domain. The email is considered authentic, and the recipient's system proceeds with delivery.
  7. If the hashes do not match or the DKIM signature is missing, the email may be marked as suspicious or treated according to the recipient's email system security policies.

By leveraging the combination of cryptographic hashing and public-private key encryption, DKIM provides a reliable way to authenticate the sender's domain and maintain email integrity.

It is important to note that users must include DKIM in conjunction with other email authentication methods to enhance overall email security and ensure trustworthy email communication by providing a way to verify the authenticity of email messages.

How to set up a DKIM for your domain

To set up DKIM for your custom domain, you can follow these general steps:

  • Generate a public-private key pair. First, generate a public-private key pair using a tool of your choice, such as OpenSSL.
  • Configure your domain's DNS. Create a new TXT DNS record for your domain and publish the public key in it.
  • Enable DKIM signing. In your email software, enable DKIM signing and enter the selector (prefix of the TXT record) and the location of the private key file.

It's important to note that the specific steps and commands may vary depending on your email service provider and software/platform. For more detailed instructions, refer to the documentation provided by your provider or follow a specific tutorial.

What is a DKIM record?

A DKIM record is a TXT record created in the sender's domain's DNS. It serves as a public key counterpart to the private key used for generating DKIM signatures in email headers.

The main purpose of a DKIM record is to enable the recipient's email system to retrieve the sender's public key for decrypting and verifying DKIM signatures in received emails.

The DKIM record usually has the following structure:

  • Domain. The domain linked to the DKIM record, usually in the format, where "selector" is an identifier chosen by the domain owner for differentiating between multiple DKIM keys, and "" is the sender's domain.
  • Type. Always set as TXT for DKIM records.
  • Value. The value of a DKIM record contains the DKIM key information, including the version, key type, algorithms, public key, and other optional elements.

By having the DKIM record available in the sender's DNS, the recipient's email systems can perform DKIM checks and verify the authenticity and integrity of received emails, ultimately helping to improve email security and reduce email spoofing and phishing attacks.

How to set up a DKIM record

Setting up a DKIM record largely depends on the email system and DNS provider you're using. However, the general steps are as follows:

  • Generate the DKIM keys. The first step is to generate a pair of DKIM keys (private and public). You usually do this on your email system, where there is usually a tool or option for DKIM key generation. When you generate these keys, the private key is installed on your email server, while the public key is used to create the DKIM record in your DNS.
  • Create the DKIM record. After obtaining the public key, you must create a DKIM record in your domain's DNS. The DKIM record is a TXT record. When creating the record, you must specify a selector (an identifier for the key) and the public key.

    The format for the DKIM record typically looks like this:, where selector is the identifier you chose, _domainkey is a constant part of the record, and is your domain.

    The value of the TXT record includes the DKIM version, key type, and the actual public key, formatted like this:
    v=DKIM1; k=rsa; p=your_public_key

    You insert the actual public key part where it says your_public_key.
  • Publish the DKIM record. Once you've finished setting up the record with the correct values, you need to publish it. This usually involves saving the record or clicking on a 'publish' button in your DNS system.
  • Verify your DKIM record. To ensure the DKIM record is working correctly, DKIM verification is key. Many email systems offer a verification tool where you can check the status of your DKIM records.

Remember, the specific steps and tools might vary depending on your email system (like Office 365, Google Workspace, Microsoft, etc.) and your DNS provider. If you encounter any issues, it would be best to refer to the specific documentation of your system or contact their support.

What is a DKIM record check?

A DKIM record check is a process that verifies whether a domain has a correct DKIM record set up. The purpose of the DKIM record is to store a public key used to verify the messages signed by the private key. Most online tools that offer DKIM record checks verify the domain name, the public key's syntax, and the DNS entries set up on the corresponding domains.

One example of a DKIM record check tool provided by MxToolbox performs DKIM testing against a domain name and selector for a valid published DKIM key record. It tests the domain-level digital signature authentication framework for email by allowing a signing domain to assert responsibility for a message in transit.

Overall, running a DKIM record check can help identify potential issues in your email authentication setup and help ensure that your messages are delivered to recipients securely. Secure email gateway software can further be used to filter spam emails and prevent malicious spammers from attacking the end users.  

What is a DKIM selector?

A DKIM selector is a string used by the outgoing mail server to locate the private key to sign an email message and by the receiving mail server to locate the public key in the DNS to verify the integrity of the email message. 

The selector is part of a domain's DKIM record and is specified by the "s=" tag in the DKIM-Signature header field. The selector helps to support multiple DKIM key records for a single domain and is an arbitrary string that helps with the DKIM Public Key identification process.

What is DKIM authentication?

DKIM uses a pair of cryptographic keys, one public and one private, to sign outgoing email messages. The public key is published in the organization's DNS records as a TXT record, and the private key is kept secret by the sender.

When an email message is sent using DKIM, it includes a digital signature in the message header. The receiving email server can use the sender's public DKIM key to verify the signature. If the signature doesn't match, it means the message was modified during transmission or wasn't sent by a legitimate sender.

In more technical terms, DKIM uses a hash function to produce an encrypted digest of specific parts of the email message body and header, which are then signed using the sender's private key. The digest and the sender's domain name are then added to the message header as a digital signature.

The receiving server can retrieve the public key for the sender's domain from the DNS records and use it to verify the digital signature. If the signature matches the digest, the email message is authenticated and trustworthy.

By verifying the DKIM signature of incoming emails, organizations can ensure that emails sent by their domain are delivered successfully and prevent email phishing and spoofing attacks.

What is a DKIM signature?

A DKIM signature is a unique, encrypted string of characters created by the sender's email system during the DKIM email authentication process. The signature's main function is to verify the sender's domain and ensure the email's integrity during transit between the sender and the recipient. 

When an email is sent using DKIM, the sender's email server attaches a digital signature to the message. This signature is generated using an encryption algorithm and a private key that is unique to the sender's domain. The public key corresponding to this private key is stored as a DNS record.

When the email is received by the recipient's email server, it checks the DKIM signature by retrieving the corresponding public key from the sender's DNS record. The server then uses this public key to decrypt the signature and verify its authenticity. If the signature matches, it means that the email has not been altered or tampered with since it was sent. DKIM signatures also provide information about the domain that sent the email. 

In summary, a DKIM signature is a digital signature that verifies the authenticity and integrity of an email message. It helps prevent email tampering and ensures that the email is indeed sent by the claimed domain.

How to verify an email signature 

To verify a DKIM signature, the receiving email server needs to follow these general steps:

  • Retrieve the DKIM public key: The email server retrieves the sender's DKIM public key from the DNS records using the selector specified in the DKIM signature header in the incoming email.
  • Retrieve the message header and body: The email server extracts the message header and body from the incoming email.
  • Recalculate the digest: The email server calculates the message body's hash using the hash algorithm specified in the DKIM-Signature header.
  • Verify the signature: The email server verifies the signature by decrypting the signature using the retrieved public key and comparing the result with the recalculated digest. If they match, the email is considered authentic and trustworthy; otherwise, it may indicate that it was modified during transit or sent by an unauthorized sender.

It's important to note that the specific commands and libraries for verifying DKIM signatures may vary depending on the programming language and platform you use. You can find libraries and tools for verifying DKIM signatures, such as DKIMpy for Python and DKIMVerifier for .NET.

Additionally, it's recommended to check other email authentication mechanisms, such as SPF and DMARC, to provide a more comprehensive email security approach.


DKIM and SPF are two types of email authentication protocols.

DKIM adds a digital signature to an email to verify that the message was not only sent from the purported domain but also that the message itself was not altered during transit.

SPF, on the other hand, works by verifying the sending mail server against a list of authorized sending servers for a given domain. If the server is not authorized, the receiving server has a few options for handling the questionable email.

DMARC, on the other hand, is used to take advantage of the verification process performed by DKIM (as well as SPF) and allows email senders to instruct email receivers on how to handle messages that fail authentication. Specifically, DMARC policies define how email receivers should evaluate incoming messages against established authentication standards, such as DKIM and SPF, and what actions to take if an email fails these checks.

So while DKIM is primarily used for sender authentication, DMARC provides an additional layer of security by enabling domain owners to specify how receivers should handle email that fails authentication. By deploying both DKIM and DMARC, domain owners can significantly reduce the risk that their domain will be used for phishing and spoofing attacks, and improve email deliverability.

Top 5 DMARC software 

DMARC is a technical specification and email authentication protocol designed to give email domain owners the ability to protect their domains from unauthorized use like email phishing and spoofing attacks.

To enable DMARC, domain owners publish a DMARC policy in their DNS records that indicate which authentication methods (such as SPF and/or DKIM) should be used to verify incoming email messages, and how email receivers should handle messages that don't pass the verification checks.

There are various DMARC software solutions available, both paid and free, that help organizations implement DMARC policies and provide detailed reporting on email authenticity across various email providers.


DKIM: Frequently asked questions

Q. Can I have multiple DKIM records? 

A. Yes. Users can have multiple DKIM records in the DNS. Every DKIM key is associated with a different DKIM selector added to the signature. This allows the receiver to understand which keys are used for validation.

Q. What is Gappssmtp? 

A. Gmail Simple Mail Transfer Protocol (SMTP) or Gappssmtp is an email-sending protocol provided by Google. It is the standard protocol for email sharing over the internet. Gappssmtp helps configure email applications or server settings to ensure emails can be sent through Gmail servers while preserving the “sent from” address as the sender's domain.

Gappssmtp ensures safety and reliability without the need for a separate server. Set up the server with the following: 

SMTP Server: SMTP Port: 587 Encryption: TLS (Transport Layer Security)

When composing an email, you would set the 'From' address as your own domain (for example, When the recipient receives the email, it will appear as if it was sent directly from your domain, despite being sent through Gmail's servers.

Q. Do I need a certificate to run DKIM?

A. No. A certificate isn’t required to run DKIM. It gives users a quick way to create, set up, or destroy keys.

Q. How can I test if DKIM was configured correctly? 

A. After a DKIM has been added, it must be validated with an online DKIM analyzer. There are various free DKIM analyzers available online. Another method of checking validation is sending a test email to Gmail or Yahoo to verify whether the email arrives with a DKIM signature.

To do so, expand the email header by clicking on the triangle icon below the sender’s name. If the domain name appears for “sent-by” and “signed-by”, the email was configured correctly. 

Q. Does DKIM ensure emails have end-to-end encryption? 

A. DKIM acts more as a mediator to ensure that the email hasn’t been tampered with during the transit to the recipient server. It doesn’t ensure end-to-end encryption. 

Q. What does a DKIM header look like? 

A. A typical DKIM header looks like this:

DKIM-Signature: v=1; a=rsa-sha256;
c=relaxed/simple;; s=selector1;

Let's break down the parts of the DKIM header:

  • DKIM-Signature: This identifies the beginning of the DKIM header.
  • v: The version of the DKIM signature being used.
  • a: The algorithm used for signing the email (e.g., rsa-sha256).
  • c: The canonicalization algorithm used to prepare the message for signing.
  • d: The domain name associated with the DKIM record.
  • s: The DKIM selector, which specifies the key used for signing.
  • h: The headers included in the signature.
  • bh: The encrypted hash value of the email body.
  • b: The actual DKIM signature value.

Please note that the actual DKIM header may vary depending on the specific email service or software being used.

Say goodbye to email spoofing

DKIM is one piece of the puzzle. It verifies the sender's domain and the email's integrity via cryptographic signatures, helping combat email forgery, spoofing, and tampering. By adopting DKIM and other such email security measures, you are on your way forward to a secure, trustworthy, and fruitful email communication and authentication environment.

Slight changes to your email deliverability practices can bring exceptional results to your email strategies. Learn more!

DMARC software Flagged as spam

Secure your email, enhance deliverability, and maintain your business credibility with DMARC software.

DMARC software Flagged as spam

Secure your email, enhance deliverability, and maintain your business credibility with DMARC software.

What Is DKIM and How Can It Boost Your Email Security? Improve your email security with DomainKeys Identified Mail (DKIM). Learn how to protect your email domain from phishing attacks, fraud, and other attacks.
Tanuja Bahirat Tanuja Bahirat is a content marketing specialist at G2. She has over three years of work experience in the content marketing space and has previously worked with the ed-tech sector. She specializes in the IT security persona, writing on topics such as DDoS protection, DNS security, and IoT security solutions to provide meaningful information to readers. Outside work, she can be found cafe hopping or exploring ways to work on health and fitness. Connect with her on LinkedIn.

Never miss a post.

Subscribe to keep your fingers on the tech pulse.

By submitting this form, you are agreeing to receive marketing communications from G2.