What Is DKIM? Complete Guide to Email Signature Authentication

DKIM adds a tamper-evident digital signature to every email you send. Here's exactly how it works, how to read one, and how to fix it when it breaks.

📅 Published July 2026· ⏳ 11 min read· ✍️ ToolsNovaHub Editorial Team
DomainKeys Identified Mail (DKIM) is one of three pillars of modern email authentication, alongside SPF and DMARC. Unlike SPF, which checks the sending server's IP address, DKIM cryptographically proves that a message's content wasn't altered in transit and that whoever sent it controls the signing domain's private key. This guide breaks down exactly how that works, without assuming a cryptography background.

What Is DKIM, Really?

DKIM (DomainKeys Identified Mail), standardized in RFC 6376, is a cryptographic signature attached to outgoing email headers. Think of it as a tamper-evident seal: the sending mail server signs the message using a private key it keeps secret, and anyone receiving the message can verify that signature using a public key the domain owner has published in DNS.

If even one byte of the signed content changes after signing — a header gets rewritten, or the body gets modified — the signature no longer matches, and DKIM verification fails. That's the core value proposition: proof of integrity and proof of authorized origin, combined into one mechanism.

How DKIM Works Step-by-Step

1

Key Pair Generation

The domain owner (or their email provider) generates an RSA or Ed25519 key pair — a private key kept secret on the mail server, and a public key published in DNS.

2

Publish the Public Key

The public key is published as a TXT record at selector._domainkey.yourdomain.com. The "selector" lets a domain run multiple keys at once.

3

Sign Outgoing Mail

When an email is sent, the server hashes selected headers plus the body, encrypts that hash with the private key, and attaches the result as a DKIM-Signature header.

4

Receiver Looks Up the Key

The receiving mail server reads the s= and d= tags from the signature header to know exactly which DNS record to fetch.

5

Verify the Signature

Using the fetched public key, the receiver decrypts the signature and compares it to a fresh hash of the received message. A match means DKIM passes; any mismatch means it fails.

Anatomy of a DKIM DNS Record

A typical record looks like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

TagMeaningRequired
v=Version (always DKIM1)Recommended
k=Key algorithm (rsa or ed25519)Optional, default rsa
p=Base64 public key dataRequired
h=Allowed hash algorithmsOptional
t=Flags (testing/strict mode)Optional

You can inspect any domain's DKIM record instantly with our DKIM Lookup tool — just enter the domain and the selector (found in a sent email's raw headers).

DKIM vs SPF vs DMARC

StandardProtects AgainstSurvives Forwarding?Requires Policy?
SPFUnauthorized sending IPsNo — breaks easilyNo enforcement built-in
DKIMContent tampering, spoofed signingYes — signature travels with messageNo enforcement built-in
DMARCBoth — via alignmentDepends on which check alignsYes — none/quarantine/reject

For the full picture of how all three work together, read our dedicated guide: SPF vs DKIM vs DMARC.

Common DKIM Errors & Fixes

  • No DKIM record found: Usually the selector is wrong. Check a sent email's raw headers for the s= tag, or try common defaults like google, selector1, or k1.
  • Signature verification failed: Often caused by a mailing list or forwarder that rewrites the subject line or footer, altering signed content after signing.
  • Body hash mismatch: Some email clients or gateways reformat line endings or whitespace, which changes the body hash even though content "looks" the same.
  • Empty p= tag: This means the key has been deliberately revoked — expected during key rotation, but unexpected elsewhere usually indicates a misconfiguration.

Best Practices

🔑
Use 2048-bit Keys
1024-bit RSA is considered weak by modern standards. 2048-bit is the current recommended minimum for new DKIM keys.
🔄
Rotate Keys Periodically
Publish a new selector, switch signing to it, then revoke the old one after a transition window — avoiding any signing downtime.
📊
Monitor with DMARC Reports
DMARC aggregate reports show DKIM pass/fail rates across every sending source, surfacing misconfigurations you'd otherwise miss.
⚠️
Don't Sign Volatile Headers
Avoid including headers in the signature that intermediate servers commonly rewrite, like Return-Path, to reduce false verification failures.

Use Cases

Beyond basic deliverability, DKIM matters for: brand protection (preventing convincing phishing emails using your domain), compliance (Google and Yahoo now require DKIM for bulk senders), and forensics (a valid signature proves a message genuinely originated from your infrastructure during a security investigation).

FAQs

What does DKIM stand for? +
DomainKeys Identified Mail — an email authentication standard defined in RFC 6376 that adds a cryptographic signature to outgoing messages.
Is DKIM the same as SPF? +
No. SPF checks the sending server's IP address against an allowlist. DKIM cryptographically signs the message content itself, proving integrity and origin independent of which server relayed it.
Do I need DKIM if I already have SPF? +
Yes. They protect against different things and neither is a substitute for the other. Most receivers, including Gmail and Yahoo, now expect both plus DMARC for reliable inbox delivery.
How do I find my domain's DKIM selector? +
Open a sent email's raw headers and look for the DKIM-Signature header — the s= tag is your selector. Alternatively try common provider defaults like google, selector1, or k1.
What happens if DKIM verification fails? +
Depending on the receiver's policy and any DMARC record in place, the message may still be delivered but flagged, sent to spam, or rejected outright.
Can I have multiple DKIM keys at once? +
Yes — that's exactly what selectors are for. You can run separate keys for different sending platforms (e.g. one for Google Workspace, another for a marketing tool) simultaneously.
What key size should I use for DKIM? +
2048-bit RSA is the current recommended minimum. 1024-bit is deprecated and increasingly rejected by strict receivers.
Does DKIM encrypt my email? +
No. DKIM only signs the message to prove authenticity and integrity — the content itself is not encrypted and remains readable in transit unless you separately use TLS or end-to-end encryption.
Why did my DKIM signature break after using a mailing list? +
Mailing lists commonly rewrite the subject line, add footers, or reformat the message — any of which changes the signed content and invalidates the original signature.
Is DKIM required by law? +
No, DKIM isn't a legal requirement, but major mailbox providers effectively require it for reliable deliverability, especially for bulk or marketing email.
What is the difference between DKIM k=rsa and k=ed25519? +
rsa is the default, universally supported algorithm. ed25519 is newer, smaller, and faster, but not yet validated by every receiving server, so it's often published alongside an rsa key as fallback.
Can DKIM alone stop phishing? +
No. DKIM only proves a message wasn't altered and was signed with a key the domain published — it doesn't stop unsigned spoofed mail. Full protection needs DMARC with an enforcement policy.
How often should I rotate my DKIM key? +
There's no universal rule, but many security teams rotate annually or after any suspected key compromise, always via a transition period with two active selectors.
What does an empty p= tag mean? +
An empty p= value is the standard way to explicitly revoke a DKIM key while keeping the record in place, typically done during rotation or decommissioning.
Can I check any domain's DKIM record, not just my own? +
Yes — DKIM records are public DNS entries by design. Anyone can query them if they know the domain and selector, using our free DKIM Lookup tool.
Explore All ToolsNovaHub Tools
🏠 Go to Homepage

🔗 More Guides