What Is DKIM and How Does It Work?
Understanding DKIM (DomainKeys Identified Mail) and email authentication
Table of Contents
What Is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication protocol that adds digital signatures to emails to verify they're authentic and haven't been tampered with during transmission. DKIM uses cryptographic signatures to ensure email integrity and authenticity.
DKIM prevents email spoofing, improves deliverability, and protects email integrity. It's one of three main email authentication protocols (SPF, DKIM, DMARC) that work together to provide comprehensive email security.
Verify your DKIM records and use our email authentication checker to ensure DKIM is properly configured.
How DKIM Works
1. Key Generation
Domain owners generate DKIM key pairs (public and private keys) for signing emails.
2. DNS Publication
Public keys are published in DNS as TXT records, typically under a selector subdomain (e.g., selector._domainkey.example.com).
3. Email Signing
When sending emails, mail servers generate DKIM signatures using the private key and add them to email headers.
4. Signature Verification
Receiving mail servers verify DKIM signatures by retrieving public keys from DNS and verifying signature validity.
5. Result
DKIM verification results (pass, fail, none) are recorded in email headers and used for deliverability decisions.
6. DMARC Policy
DKIM results are combined with SPF results and evaluated against DMARC policies.
DKIM Signatures
Signature Header
DKIM signatures are added to email headers in this format: DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector; ...
Signature Components
- v=1: DKIM version
- a=: Signing algorithm (rsa-sha256, rsa-sha1)
- d=: Signing domain
- s=: Selector (key identifier)
- h=: Signed header fields
- b=: Signature data (base64-encoded)
Signature Generation
Signatures are generated by hashing selected header fields and email body, then signing the hash with the private key.
Signature Verification
Receivers verify signatures by retrieving the public key from DNS and verifying the signature against the email content.
DKIM Records
Record Location
DKIM public keys are published in DNS as TXT records at: selector._domainkey.example.com
Record Format
DKIM records contain key-value pairs: v=DKIM1; k=rsa; p=publickeydata...
Record Components
- v=DKIM1: Version identifier
- k=: Key type (rsa)
- p=: Public key data (base64-encoded)
- h=: Acceptable hash algorithms
- t=: Flags (testing mode)
Selectors
Selectors identify different key pairs for the same domain, allowing key rotation and multiple signing domains.
DKIM Results
DKIM verification produces specific results:
pass
DKIM signature is valid and verified successfully. This confirms email authenticity and integrity.
fail
DKIM signature verification failed. This may indicate email tampering, invalid signature, or configuration issues.
none
No DKIM signature found in email headers. Missing DKIM signatures hurt deliverability and reduce authentication benefits.
Result Location
DKIM results are recorded in Authentication-Results headers, showing verification status and domain alignment.
Setting Up DKIM
1. Generate Key Pair
Generate DKIM key pairs (public and private keys) for your domain. Many email service providers generate keys automatically.
2. Publish Public Key
Publish the public key in DNS as a TXT record under the selector subdomain (e.g., selector._domainkey.example.com).
3. Configure Mail Server
Configure your mail server to sign outgoing emails with the private key using the appropriate selector.
4. Verify DNS Record
Use our DKIM lookup tool to verify the DNS record is published correctly.
5. Test Authentication
Send test emails and use our authentication checker to verify DKIM passes.
6. Monitor Results
Monitor DKIM authentication results in email headers to ensure proper configuration and signature generation.
