What Is DKIM and How Can It Boost Your Email Security?

Your email reputation can make or break a campaign. But what happens when your carefully crafted messages land in spam folders, or worse, get spoofed by scammers posing as your brand?

That’s where DomainKeys Identified Mail (DKIM) steps in. 

Think of it as a verified sender badge for your domain, proof that your emails are authentic, untampered, and genuinely sent by you.

Marketers love DKIM for its impact on deliverability. IT teams rely on it to block spoofing and phishing attempts. And business leaders trust it to safeguard brand credibility.

When paired with Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC), DKIM forms the foundation of a secure, reliable email ecosystem that protects both your domain and your customers.

Many organizations use DMARC software to automate authentication across DKIM and SPF standards, ensuring stronger protection and better visibility into suspicious email activity.

Why is DKIM important?

DKIM is an important email authentication method that provides multiple benefits related to email security to its end users. 

• Email authenticity: DKIM uses cryptographic signatures to validate the sender's domain, enabling the recipient's email system to verify the sender's identity and trust the email content. This helps prevent unauthorized parties from forging emails and sending them on behalf of a domain.
• Email integrity: The DKIM mechanism ensures that emails are not tampered with while in transit by signing selected parts of the email. The recipient's email system is then able to verify that the content of the signed portions has not been changed since it left the sender's system. This helps maintain the reliability of email communication.
• Email deliverability: By authenticating emails and proving their integrity, DKIM helps email recipients differentiate legitimate emails from spam and phishing emails. This can lead to better mailbox filtering algorithms and improved deliverability for legitimate senders. Emails with valid DKIM signatures are more likely to make it to recipients' inboxes rather than being marked as spam or rejected.
• Reduced spam and phishing attacks: Implementing DKIM as part of an email security strategy can help recipients identify and block malicious emails more effectively, reducing the success rate of spam and phishing attacks.
• Works in conjunction with SPF and DMARC: DKIM can be used alongside other email authentication standards, such as SPF records and DMARC, to create a comprehensive email security ecosystem. This further strengthens the sender's domain reputation and email deliverability.

In fact, major inbox providers like Gmail and Yahoo now require large-scale senders to meet specific authentication standards. If you send marketing or transactional emails at scale, you must have SPF, DKIM, and DMARC properly configured, maintain spam complaint rates below 0.3%, and support one-click unsubscribe via the List-Unsubscribe header to comply with updated bulk-sender policies.

These changes make email authentication not just a best practice, but a deliverability requirement for every brand that relies on email communication. So, how does DKIM actually verify your messages behind the scenes? Let’s take a closer look.

How does DKIM work?

DKIM uses cryptographic digital signatures to authenticate the sender's domain and ensure email integrity. A cryptographic digital signature is used to verify data authenticity. It works by signing outgoing email messages with a digital signature verified by the recipient's email server. Additionally, DKIM validates that the message has yet to be modified in transit.

Here's a step-by-step overview of how DKIM works:

1. The sender's email system (Mail Transfer Agent) generates a unique DKIM signature for each outgoing email. This is done by:
    
   • Selecting the email headers and body to be signed. 
   • Hashing the selected parts using a cryptographic hash function. 
   • Encrypting the hash using the sender's domain-specific private key.
2. The generated DKIM signature is added to the email header, and the email is sent to the recipient.
3. When the recipient's email system receives the email, it checks for the DKIM signature in the email header.
4. If the DKIM signature is present, the recipient's email system decrypts it using the sender's public key (obtained from the sender's DNS records).
5. The recipient's email system then rehashes the selected parts and compares the new hash with the one extracted from the DKIM signature.
6. If the hashes match, it means the email has not been tampered with and originated from the sender's domain. The email is considered authentic, and the recipient's system proceeds with delivery.
7. If the hashes do not match or the DKIM signature is missing, the email may be marked as suspicious or treated according to the recipient's email system security policies.

By leveraging the combination of cryptographic hashing and public-private key encryption, DKIM provides a reliable way to authenticate the sender's domain and maintain email integrity.

Understanding the concept is one thing; implementing it correctly is another. Here’s how you can set up DKIM for your own domain.

What is a DKIM record?

A DKIM record is a TXT record created in the sender's domain's DNS. It serves as a public key counterpart to the private key used for generating DKIM signatures in email headers.

The main purpose of a DKIM record is to enable the recipient's email system to retrieve the sender's public key for decrypting and verifying DKIM signatures in received emails.

By having the DKIM record available in the sender's DNS, the recipient's email systems can perform DKIM checks and verify the authenticity and integrity of received emails, ultimately helping to improve email security and reduce email spoofing and phishing attacks.

How to set up a DKIM record

Setting up a DKIM record largely depends on the email system and DNS provider you're using. However, the general steps are as follows:

• Generate the DKIM keys. The first step is to generate a pair of DKIM keys (private and public). You usually do this on your email system, where there is usually a tool or option for DKIM key generation. When you generate these keys, the private key is installed on your email server, while the public key is used to create the DKIM record in your DNS.
• Create the DKIM record. After obtaining the public key, you must create a DKIM record in your domain's DNS. The DKIM record is a TXT record. When creating the record, you must specify a selector (an identifier for the key) and the public key.
  
  The format for the DKIM record typically looks like this:
  
  Selector._domainkey.yourdomain.com, where selector is the identifier you chose, _domainkey is a constant part of the record, and yourdomain.com is your domain.
  
  The value of the TXT record includes the DKIM version, key type, and the actual public key, formatted like this:
  
  v=DKIM1; k=rsa; p=your_public_key
  
  You insert the actual public key part where it says your_public_key.
• Publish the DKIM record. Once you've finished setting up the record with the correct values, you need to publish it. This usually involves saving the record or clicking on a 'publish' button in your DNS system.
• Verify your DKIM record. To ensure the DKIM record is working correctly, DKIM verification is key. Many email systems offer a verification tool where you can check the status of your DKIM records.

Remember, the specific steps and tools might vary depending on your email system (like Office 365, Google Workspace, Microsoft, etc.) and your DNS provider. If you encounter any issues, it would be best to refer to the specific documentation of your system or contact their support.

What is a DKIM record check?

A DKIM record check is a process that verifies whether a domain has a correct DKIM record set up. Most online tools that offer DKIM record checks verify the domain name, the public key's syntax, and the DNS entries set up on the corresponding domains.

It can help identify potential issues in your email authentication setup and help ensure that your messages are delivered to recipients securely. Secure email gateway software can further be used to filter spam emails and prevent malicious spammers from attacking the end users.  

Every DKIM record also contains a selector, an identifier that points email servers to the correct DKIM key when verifying messages. Let's look at it.

What is a DKIM selector?

A DKIM selector is a string used by the outgoing mail server to locate the private key to sign an email message and by the receiving mail server to locate the public key in the DNS to verify the integrity of the email message. 

The selector is part of a domain's DKIM record and is specified by the "s=" tag in the DKIM-Signature header field. The selector helps to support multiple DKIM key records for a single domain and is an arbitrary string that helps with the DKIM Public Key identification process.

What is DKIM authentication?

DKIM uses a pair of cryptographic keys, one public and one private, to sign outgoing email messages. The public key is published in the organization's DNS records as a TXT record, and the private key is kept secret by the sender.

When an email message is sent using DKIM, it includes a digital signature in the message header. The receiving email server can use the sender's public DKIM key to verify the signature. If the signature doesn't match, it means the message was modified during transmission or wasn't sent by a legitimate sender.

In more technical terms, DKIM uses a hash function to produce an encrypted digest of specific parts of the email message body and header, which are then signed using the sender's private key. The digest and the sender's domain name are then added to the message header as a digital signature.

The receiving server can retrieve the public key for the sender's domain from the DNS records and use it to verify the digital signature. If the signature matches the digest, the email message is authenticated and trustworthy.

By verifying the DKIM signature of incoming emails, organizations can ensure that emails sent by their domain are delivered successfully and prevent email phishing and spoofing attacks.

What is a DKIM signature?

A DKIM signature is a unique, encrypted string of characters created by the sender's email system during the DKIM email authentication process. The signature's main function is to verify the sender's domain and ensure the email's integrity during transit between the sender and the recipient. 

When an email is sent using DKIM, the sender's email server attaches a digital signature to the message. This signature is generated using an encryption algorithm and a private key that is unique to the sender's domain. The public key corresponding to this private key is stored as a DNS record.

When the email is received by the recipient's email server, it checks the DKIM signature by retrieving the corresponding public key from the sender's DNS record. The server then uses this public key to decrypt the signature and verify its authenticity. If the signature matches, it means that the email has not been altered or tampered with since it was sent. DKIM signatures also provide information about the domain that sent the email. 

In summary, a DKIM signature is a digital signature that verifies the authenticity and integrity of an email message. It helps prevent email tampering and ensures that the email is indeed sent by the claimed domain.

How to verify an email signature 

• Retrieve the DKIM public key: The email server retrieves the sender's DKIM public key from the DNS records using the selector specified in the DKIM signature header in the incoming email.
• Retrieve the message header and body: The email server extracts the message header and body from the incoming email.
• Recalculate the digest: The email server calculates the message body's hash using the hash algorithm specified in the DKIM-Signature header.
• Verify the signature: The email server verifies the signature by decrypting the signature using the retrieved public key and comparing the result with the recalculated digest. If they match, the email is considered authentic and trustworthy; otherwise, it may indicate that it was modified during transit or sent by an unauthorized sender.

It's important to note that the specific commands and libraries for verifying DKIM signatures may vary depending on the programming language and platform you use. You can find libraries and tools for verifying DKIM signatures, such as DKIMpy for Python and DKIMVerifier for .NET.

How to troubleshoot DKIM failures and authentication issues

Even after setting up DKIM correctly, you may occasionally see authentication failures or “DKIM: fail” messages in email headers. These issues usually stem from configuration errors, DNS problems, or message modifications during transit.

Here are the most common DKIM problems and how to fix them:

What's the difference between DKIM vs. SPF, vs. DMARC?

Now that you know how to set up and troubleshoot DKIM, let’s look at how it compares to other authentication methods, SPF (sender policy framework), and DMARC, and why all three work best together. DKIM and SPF are two core email authentication protocols.

DKIM adds a digital signature to each email, verifying that the message was truly sent from the claimed domain and that its contents haven’t been altered in transit.

SPF, on the other hand, checks whether the sending mail server is authorized to send emails on behalf of a domain. If the sender isn’t listed in the SPF record, the receiving server may flag, quarantine, or reject the message.

DMARC builds on both SPF and DKIM. It lets domain owners instruct receiving servers on how to handle messages that fail authentication and provides visibility through reports. In other words, DMARC aligns SPF and DKIM with the visible “From” domain to prevent spoofing and phishing.

So while DKIM verifies message integrity and SPF authenticates sending servers, DMARC enforces policy, closing the loop by ensuring unauthenticated messages don’t reach your customers. Together, these three standards form the backbone of modern email security and deliverability. 

Here's a detailed table comparing all three email authentication protocols.

What are the top tools that help with DKIM? 

There are various DMARC software solutions available, both paid and free, that help organizations implement DMARC policies, monitor compliance across mail streams, and get detailed visibility into spoofing attempts, making it far easier to protect your domain and improve deliverability.

DKIM: Frequently asked questions (FAQs)

Q. Can I have multiple DKIM records? 

A. Yes. Users can have multiple DKIM records in the DNS. Every DKIM key is associated with a different DKIM selector added to the signature. This allows the receiver to understand which keys are used for validation.

Q. What is Gappssmtp? 

A. Gmail Simple Mail Transfer Protocol (SMTP) or Gappssmtp is an email-sending protocol provided by Google. It is the standard protocol for email sharing over the internet. Gappssmtp helps configure email applications or server settings to ensure emails can be sent through Gmail servers while preserving the “sent from” address as the sender's domain.

Gappssmtp ensures safety and reliability without the need for a separate server. Set up the server with the following: 

SMTP Server: smtp.gmail.com SMTP Port: 587 Encryption: TLS (Transport Layer Security)

When composing an email, you would set the 'From' address as your own domain (for example, info@abccompany.com). When the recipient receives the email, it will appear as if it was sent directly from your domain, despite being sent through Gmail's servers.

Q. Do I need a certificate to run DKIM?

A. No. A certificate isn’t required to run DKIM. It gives users a quick way to create, set up, or destroy keys.

Q. How can I test if DKIM was configured correctly? 

A. After a DKIM has been added, it must be validated with an online DKIM analyzer. There are various free DKIM analyzers available online. Another method of checking validation is sending a test email to Gmail or Yahoo to verify whether the email arrives with a DKIM signature.

To do so, expand the email header by clicking on the triangle icon below the sender’s name. If the domain name appears for “sent-by” and “signed-by”, the email was configured correctly. 

Q. Does DKIM ensure emails have end-to-end encryption? 

A. DKIM acts more as a mediator to ensure that the email hasn’t been tampered with during the transit to the recipient server. It doesn’t ensure end-to-end encryption. 

Q. What does a DKIM header look like? 

A. A typical DKIM header looks like this:

DKIM-Signature: v=1; a=rsa-sha256;
c=relaxed/simple;
d=example.com; s=selector1;
h=from:to:subject:date:message-id;
bh=encrypted_body_hash;
b=dkim_signature_value;

Let's break down the parts of the DKIM header:

• DKIM-Signature: This identifies the beginning of the DKIM header.
• v: The version of the DKIM signature being used.
• a: The algorithm used for signing the email (e.g., rsa-sha256).
• c: The canonicalization algorithm used to prepare the message for signing.
• d: The domain name associated with the DKIM record.
• s: The DKIM selector, which specifies the key used for signing.
• h: The headers included in the signature.
• bh: The encrypted hash value of the email body.
• b: The actual DKIM signature value.

Please note that the actual DKIM header may vary depending on the specific email service or software being used.

Q. How do I add DKIM to my email?

To add DKIM, you’ll need to enable it through your email service provider or domain host. Most platforms like Google Workspace, Microsoft 365, Mailchimp, or SendGrid have built-in DKIM setup options.

1. Generate your DKIM keys (a public and private key pair).
2. Publish the public key as a TXT record in your domain’s DNS, typically under selector._domainkey.yourdomain.com.
3. Enable DKIM signing in your email platform by uploading or linking the private key.

Once DNS changes propagate, outgoing emails from your domain will automatically be signed with DKIM.

Q. How do I generate a DKIM key?

You can generate DKIM keys using your email provider’s built-in tools or manually with a command-line utility like OpenSSL.

Via provider: Many services (e.g., Google Workspace, Microsoft 365, AWS SES) generate DKIM keys automatically and guide you to add the DNS record.

Manual method: Run the following commands to create a 2048-bit RSA key pair:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

Then, publish the public key in your DNS and configure your mail server to use the private key for DKIM signing.

Q. How can I check if an email is DKIM-signed?

To verify if an email is DKIM-signed:

1. Open the email and view its full headers.
2. Look for a header line that begins with DKIM-Signature:.
3. If you see this field, the email was signed with DKIM.

In Gmail, open the message → click the three dots (⋮) → select “Show original” → check for “DKIM: PASS” or “DKIM: FAIL.”

You can also test your domain using online DKIM checkers such as MxToolbox DKIM Lookup or dmarcian DKIM Inspector.

Q. Does Gmail check DKIM?

Yes. Gmail actively checks DKIM, SPF, and DMARC for every incoming email. Messages without valid authentication are more likely to be marked as spam or rejected.

As of February 2024, Gmail’s bulk-sender policies require all senders dispatching over 5,000 emails per day to have DKIM, SPF, and DMARC configured, plus a List-Unsubscribe header. Maintaining these standards improves inbox placement and protects your brand reputation.

Say goodbye to email spoofing

DKIM is one piece of the puzzle. It verifies the sender's domain and the email's integrity via cryptographic signatures, helping combat email forgery, spoofing, and tampering. By adopting DKIM and other such email security measures, you are on your way to a secure, trustworthy, and fruitful email communication and authentication environment.

Slight changes to your email deliverability practices can bring exceptional results to your email strategies. Learn more!

This article was originally published in 2023 and has been updated with new information.