DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sender to digitally sign outgoing emails using a private key. The recipient's mail server verifies the signature using the corresponding public key stored in a DNS TXT record.
How DKIM Works
- Your mail server signs outgoing emails with a private key. The signature covers key headers and the email body.
- The signature is added to the email as a
DKIM-Signatureheader. - The recipient's server extracts the signing domain and selector from the header.
- It fetches the corresponding public key from DNS:
selector._domainkey.example.com. - It verifies the signature. If valid → DKIM passes. If the email was modified in transit, the signature fails.
DKIM DNS Record
mail._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."The record name combines the selector (e.g. mail) with ._domainkey. and the domain.
What DKIM Proves
- The email was sent by the domain that owns the DKIM key.
- The email content and key headers were not modified in transit.
DKIM Does NOT Prevent
- Header spoofing (From address ≠ DKIM-signing domain) — DMARC addresses this.
- An attacker who has compromised the sending mail server.
Why DKIM Matters for Deliverability
Gmail, Outlook and other major providers use DKIM (along with SPF and DMARC) as a trust signal. Emails without DKIM are more likely to land in spam folders.