DKIM stands for DomainKeys Identified Mail. It works by adding a digital signature to the headers of every outgoing message. The signature is created using a private key held by your mail server or ESP. Receiving mail servers look up the corresponding public key in your DNS and verify the signature — confirming that the message was sent by an authorized server and that its headers and body were not altered in transit.
DKIM does not prevent spoofing by itself. What it does is give receiving servers cryptographic proof that a specific domain signed the message. When DMARC checks alignment, a passing DKIM signature on a subdomain or the exact From: domain is what gives you DKIM alignment — and DKIM alignment is harder to fake than SPF alignment because it requires the private key.
How DKIM works
When your ESP (SendGrid, Mailchimp, Postmark, etc.) sends a message, it generates a hash of selected headers and the message body, then encrypts that hash with your private DKIM key. The encrypted hash — the signature — is attached as the DKIM-Signature header.
The receiving server reads the d= (domain) and s= (selector) tags from the DKIM-Signature header. It performs a DNS TXT lookup at [selector]._domainkey.[domain] to retrieve your public key. It decrypts the signature and verifies the hash matches the current message content. If the hash matches, DKIM passes. If any header in the signed set was modified after signing, the hash will not match and DKIM fails.
DKIM record structure
A DKIM public key record is a TXT record published at [selector]._domainkey.yourdomain.com. A typical record looks like: v=DKIM1; k=rsa; p=MIIBIjANBgkqh... The v= tag is the version (always DKIM1), k= is the key type (rsa or ed25519), and p= is the base64-encoded public key.
The selector is chosen by the ESP — common values are google, sendgrid, mailchimp, or a CNAME alias. You may have multiple DKIM selectors for the same domain if you send through multiple platforms. Each is a separate DNS record; they do not conflict.
Why DKIM matters more than SPF for DMARC
SPF alignment breaks on forwarded messages because the Return-Path changes at each hop. DKIM alignment survives forwarding as long as the message body and signed headers are not modified — which most forwarders do not do. This makes DKIM the more reliable of the two DMARC alignment mechanisms for real-world mail flows.
Google and Yahoo's 2024 bulk sender requirements specifically require DKIM in addition to SPF and DMARC. A domain that relies only on SPF for DMARC alignment will fail these requirements and face increased filtering at both providers.
Frequently asked questions
01What happens if DKIM fails?
A DKIM failure means either the message was modified in transit, the private key was rotated without updating the DNS record, or the message was not signed by the expected domain. If DMARC is at enforcement, a DKIM failure combined with an SPF failure means the message will be quarantined or rejected depending on the p= policy.
02How often should I rotate my DKIM keys?
Security guidance suggests rotating DKIM keys annually or after any suspected private key compromise. The process is: publish a new key at a new selector, update your ESP to sign with the new selector, wait for DNS propagation (TTL hours), then remove the old key record. Do not delete the old record before the new one is verified working — a gap means unsigned messages.
03Does DKIM protect the email body from modification?
DKIM signs a hash of the email body and selected headers. Any modification to those elements after signing will cause DKIM to fail. However, DKIM only covers the elements listed in the bh= and h= tags of the signature — elements not included in the signed set can be modified without breaking DKIM.
04Can I check if my DKIM record is configured correctly?
Yes. Query the TXT record at <selector>._domainkey.yourdomain.com — for example, dig TXT mail._domainkey.yourdomain.com +short. The response should be a v=DKIM1 record containing a base64-encoded public key (p=). A missing record, an empty p= tag, or a syntactically malformed response means the selector is not resolving correctly. You can then verify a live signature by sending a test to a mailbox you control and inspecting the Authentication-Results header for dkim=pass.
Run a free deliverability audit on your sending domain.
MailerMonk checks DMARC alignment, SPF lookups, DKIM keys, MX records, and major blocklists in under a minute. No signup, no card.