What Is DKIM? How DKIM Email Authentication Works (2026 Guide)

Use AI to summarize this article and ask questions

ChatGPT Google AI Claude Claude Grok Perplexity Perplexity
Grant Ammons
Grant Ammons – Founder March 24, 2026

What Is DKIM? How DKIM Email Authentication Works (2026 Guide)

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing email so receiving servers can verify it wasn't tampered with and really came from you.

TL;DR: DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing email so receiving servers can verify it wasn't tampered with in transit and genuinely came from your domain. Without DKIM, your emails are easier to spoof and more likely to land in spam.

DKIM is one of three email authentication standards — alongside SPF and DMARC — that protect your sending reputation and improve deliverability. Unlike SPF (which checks the sending IP), DKIM signs the message itself, creating a chain of trust that follows the email even when it’s forwarded or relayed.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It’s an email authentication method that uses public-key cryptography to sign outgoing messages and verify that they haven’t been altered in transit.

Here’s the basic flow:

  1. When you send an email, your mail server generates a cryptographic signature using a private key and attaches it to the message header
  2. The public key is published in your domain’s DNS records
  3. When a receiving mail server gets your email, it looks up your public key in DNS and uses it to verify the signature
  4. If the signature validates, the email passes DKIM — the message is confirmed to have come from your domain and hasn’t been modified

DKIM doesn’t directly prevent spam, but it gives receiving servers a reliable way to verify message origin. Combined with SPF and DMARC, it’s a core component of email authentication infrastructure.

How DKIM works technically

The signing process

Your outgoing mail server computes a hash of specific email headers and the message body, then encrypts that hash with your private key. The result is the DKIM signature, added to the email as a DKIM-Signature header.

A typical DKIM signature header looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourdomain.com; s=selector1;
  h=from:to:subject:date:message-id;
  bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
  b=ExampleBase64SignatureHere...

Key fields:

  • d= — the signing domain (your domain)
  • s= — the selector (identifies which public key to use)
  • h= — which headers were signed
  • bh= — hash of the message body
  • b= — the actual signature

The verification process

When a receiving server gets the email, it:

  1. Reads the d= and s= fields from the DKIM header
  2. Looks up the public key at selector._domainkey.yourdomain.com in DNS
  3. Decrypts the signature using the public key
  4. Recomputes the hash of the specified headers and body
  5. Compares — if they match, DKIM passes

DKIM selectors

The selector (s=) is a label that lets you publish multiple DKIM keys for the same domain. This is useful when you have multiple email sending services — each can have its own key pair. For example, Google Workspace might use google._domainkey.yourdomain.com while SendGrid uses s1._domainkey.yourdomain.com.

How to set up DKIM

Step 1: Generate a DKIM key pair

Most modern email service providers (ESPs) generate the key pair for you and give you the DNS record to publish. Log into your ESP dashboard and find the DKIM or email authentication settings.

Common ESPs and where to find DKIM setup:

  • Google Workspace: Admin console → Apps → Google Workspace → Gmail → Authenticate email
  • Microsoft 365: Microsoft 365 Defender portal → Email & Collaboration → Policies & Rules
  • SendGrid: Settings → Sender Authentication → Domain Authentication
  • Mailchimp: Account → Domains → Authenticate
  • HubSpot: Settings → Email → Sending Domains

Each service will show you one or more DNS records to add.

Step 2: Publish the DKIM public key in DNS

Your ESP will give you a DNS TXT record (or CNAME record) to publish. It will look something like:

Record type: TXT Name/Host: selector._domainkey (e.g., google._domainkey) Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA... (your public key)

Add this at your DNS provider. If your ESP provides CNAME records instead (common with SendGrid), add those — they point to the ESP’s managed key infrastructure.

DNS propagation can take up to 48 hours, though it’s usually much faster.

Step 3: Verify DKIM is working

After publishing, verify the record is resolving correctly. You can check from the command line:

dig TXT selector._domainkey.yourdomain.com

Or use an online DKIM checker — most email testing tools will check your DKIM record and confirm it validates against a test message.

You can also send a test email to check-auth@verifier.port25.com — you’ll receive a report showing whether DKIM passed.

Step 4: Enable DKIM signing in your ESP

Some ESPs require you to explicitly enable DKIM signing after publishing the DNS record. Check your ESP’s dashboard to confirm signing is active.

DKIM and email forwarding

One important limitation of DKIM: forwarding can break DKIM signatures.

When an email is forwarded, the forwarder typically modifies the message (adding a footer, changing the headers, or rewriting the To: address). This breaks the cryptographic signature because the message content no longer matches the original hash.

This is one of the reasons DMARC uses both SPF and DKIM — if one check fails due to forwarding, the other can still pass.

Checking your DKIM record

Command line

dig TXT selector._domainkey.yourdomain.com

Replace selector with your actual selector name (your ESP will tell you what it is).

What a valid response looks like

selector._domainkey.yourdomain.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

If you get NXDOMAIN or no response, the record isn’t published yet or is published at the wrong name.

DKIM key rotation

Best practice is to rotate DKIM keys periodically (every 6–12 months). Key rotation involves:

  1. Generating a new key pair
  2. Publishing the new public key under a new selector
  3. Updating your ESP to sign with the new private key
  4. Keeping the old key in DNS briefly for any in-flight messages
  5. Removing the old key once you’re confident it’s no longer needed

This limits the impact if a private key is ever compromised.

DKIM vs SPF vs DMARC

Standard What it checks What it protects
SPF Sending IP address Envelope sender
DKIM Message signature Message content + origin
DMARC SPF/DKIM alignment + policy Visible From: domain

All three work together. DMARC can only function when at least one of SPF or DKIM is passing and aligned with the From: domain. DKIM is the more robust of the two because it follows the message through forwarding chains.

DKIM and email deliverability

DKIM is a positive deliverability signal for all major inbox providers. Gmail, Yahoo, Outlook, and Apple Mail all use DKIM verification as part of their spam filtering. A domain without DKIM — or with a broken DKIM record — faces:

  • Higher spam classification rates
  • Reduced deliverability to strict inbox providers
  • Inability to enforce DMARC policy

Authentication gets you to the inbox. Once you’re there, list quality determines whether you stay there. Sending DKIM-signed email to bad addresses — invalid, inactive, or catch-all — still generates bounces and spam complaints that damage your reputation.

Verify your email list with Truelist to make sure your authenticated sends are reaching real, active inboxes.

Ready to put Truelist
to the test?

Find out if Truelist is right for you in under 10 minutes.

Sign up for free

Free plan available. No credit card required.