Email Glossary

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to outgoing emails. This signature verifies that the email was sent by an authorized server and hasn't been modified in transit.

How DKIM Works

DKIM uses public-key cryptography. When you send an email:

  • Your email server creates a hash of specific email headers and body
  • This hash is encrypted with your private key (stored on your server)
  • The encrypted signature is added to the email header
  • The receiving server retrieves your public key from DNS
  • It decrypts the signature and compares it to a fresh hash of the email
  • If they match, the email passes DKIM

DKIM Record Structure

A DKIM record is a TXT record published at a specific selector subdomain:

selector._domainkey.yourdomain.com

The record contains your public key:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...

The selector (like "google" or "ses") allows you to have multiple DKIM keys for different email services.

Why DKIM Matters

DKIM provides:

  • Authentication - Proves the email came from your domain
  • Integrity - Confirms the email wasn't modified in transit
  • Reputation building - ISPs track DKIM-signed emails to build domain reputation
  • DMARC alignment - Required for DMARC to work properly

Without DKIM, your emails are more likely to be flagged as spam or phishing attempts.

DKIM Best Practices

  • Use 2048-bit keys - 1024-bit keys are increasingly vulnerable
  • Rotate keys periodically - At least annually for security
  • Sign important headers - From, To, Subject, Date, Message-ID
  • Monitor for failures - Use DMARC reports to catch issues
  • Set up for all services - Each sending service needs its own DKIM configuration

Related Tools

DNS Checker

Related Terms

SPF (Sender Policy Framework)

Tells receiving servers which IPs can send email for your domain.

DMARC (Domain-based Message Authentication)

Tells email receivers how to handle messages that fail SPF or DKIM checks.

Email Deliverability

The ability of your emails to reach recipients' inboxes instead of spam.

DNS Records for Email

Domain settings that control email routing and authentication (MX, SPF, DKIM, DMARC).

Frequently Asked Questions

Do I need both SPF and DKIM?
Yes. SPF verifies the sending server is authorized, while DKIM verifies the message integrity and provides a stronger authentication signal. Most ISPs check both, and DMARC requires at least one to pass with alignment.
What is a DKIM selector?
A selector is a name that identifies a specific DKIM key. It allows you to have multiple DKIM keys for different email services. For example, Google uses 'google' as a selector, AWS SES uses a unique selector per region.
Can DKIM be spoofed?
The cryptographic signature itself cannot be spoofed without the private key. However, attackers can send unsigned emails pretending to be from your domain, which is why DKIM should be paired with DMARC to tell receivers how to handle unsigned emails.
Get started in minutes

Need help with email deliverability?

Transmit handles authentication, warmup, and reputation isolation automatically.