What Is DKIM? Complete Guide to Email Signature Authentication
DKIM adds a tamper-evident digital signature to every email you send. Here's exactly how it works, how to read one, and how to fix it when it breaks.
What Is DKIM, Really?
DKIM (DomainKeys Identified Mail), standardized in RFC 6376, is a cryptographic signature attached to outgoing email headers. Think of it as a tamper-evident seal: the sending mail server signs the message using a private key it keeps secret, and anyone receiving the message can verify that signature using a public key the domain owner has published in DNS.
If even one byte of the signed content changes after signing — a header gets rewritten, or the body gets modified — the signature no longer matches, and DKIM verification fails. That's the core value proposition: proof of integrity and proof of authorized origin, combined into one mechanism.
How DKIM Works Step-by-Step
Key Pair Generation
The domain owner (or their email provider) generates an RSA or Ed25519 key pair — a private key kept secret on the mail server, and a public key published in DNS.
Publish the Public Key
The public key is published as a TXT record at selector._domainkey.yourdomain.com. The "selector" lets a domain run multiple keys at once.
Sign Outgoing Mail
When an email is sent, the server hashes selected headers plus the body, encrypts that hash with the private key, and attaches the result as a DKIM-Signature header.
Receiver Looks Up the Key
The receiving mail server reads the s= and d= tags from the signature header to know exactly which DNS record to fetch.
Verify the Signature
Using the fetched public key, the receiver decrypts the signature and compares it to a fresh hash of the received message. A match means DKIM passes; any mismatch means it fails.
Anatomy of a DKIM DNS Record
A typical record looks like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
| Tag | Meaning | Required |
|---|---|---|
v= | Version (always DKIM1) | Recommended |
k= | Key algorithm (rsa or ed25519) | Optional, default rsa |
p= | Base64 public key data | Required |
h= | Allowed hash algorithms | Optional |
t= | Flags (testing/strict mode) | Optional |
You can inspect any domain's DKIM record instantly with our DKIM Lookup tool — just enter the domain and the selector (found in a sent email's raw headers).
DKIM vs SPF vs DMARC
| Standard | Protects Against | Survives Forwarding? | Requires Policy? |
|---|---|---|---|
| SPF | Unauthorized sending IPs | No — breaks easily | No enforcement built-in |
| DKIM | Content tampering, spoofed signing | Yes — signature travels with message | No enforcement built-in |
| DMARC | Both — via alignment | Depends on which check aligns | Yes — none/quarantine/reject |
For the full picture of how all three work together, read our dedicated guide: SPF vs DKIM vs DMARC.
Common DKIM Errors & Fixes
- No DKIM record found: Usually the selector is wrong. Check a sent email's raw headers for the
s=tag, or try common defaults likegoogle,selector1, ork1. - Signature verification failed: Often caused by a mailing list or forwarder that rewrites the subject line or footer, altering signed content after signing.
- Body hash mismatch: Some email clients or gateways reformat line endings or whitespace, which changes the body hash even though content "looks" the same.
- Empty p= tag: This means the key has been deliberately revoked — expected during key rotation, but unexpected elsewhere usually indicates a misconfiguration.
Best Practices
Use Cases
Beyond basic deliverability, DKIM matters for: brand protection (preventing convincing phishing emails using your domain), compliance (Google and Yahoo now require DKIM for bulk senders), and forensics (a valid signature proves a message genuinely originated from your infrastructure during a security investigation).