What is DKIM and How Does DKIM Work?

DKIM is an effective way to ensure your emails are not tampered with while on their way to get delivered. Domain-based authentication methods and protocols are significantly effective against email-based cyber attacks, which have become increasingly common, especially with the rise of remote working. Email remains a dominant form of business communication but is also a primary vector for attacks like phishing, making robust verification crucial. It is important to note that email authentication is not foolproof, and attackers can still find ways to bypass these measures. Therefore, it is always a good idea to be cautious when opening email messages, especially those that contain links or attachments. DKIM is one such protocol designed to combat these threats.

It’s based on public key cryptography, and it works by adding a digital signature to the message header, typically signing headers like ‘From’, ‘To’, ‘Subject’, and ‘Date’. When the receiver gets an email with DKIM, they check the digital signature using the public key published in the sender’s DNS to make sure it is valid. If it is, then they know the message has remained unaltered during the transfer and genuinely originated from the claimed domain.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is an email authentication protocol that allows senders to prevent email content from being altered during the delivery process. Originally formed by merging DomainKeys (from Yahoo) and Identified Internet Mail (from Cisco) in 2004, DKIM has become a widely adopted technique.

It’s based on public key cryptography, and it works by adding a digital signature to the message header. When the receiver gets an email with DKIM, they check the digital signature to make sure it is valid. If it is, then they know the message has remained unaltered during the transfer. Leading providers like Google, Microsoft, and Yahoo check incoming mail for DKIM signatures. For instance, new senders transmitting emails to Gmail users are now required by Google to set up at least SPF or DKIM. Google conducts random checks on incoming messages, and emails lacking these authentication methods may be rejected with a 5.7.26 error or marked as spam.

What is a DKIM Header?

A DKIM header is a part of an email that contains the cryptographic DKIM signature. This signature is added by the sender’s mail server, specifically the Mail Transfer Agent (MTA), which creates a unique string of characters called a hash value based on the message content and headers. During the authentication process, the signature field in the DKIM header helps verify the authenticity of outbound messages. It helps receivers confirm that the email is genuine and comes from a legitimate sender.

What are DKIM Keys?

DKIM keys are cryptographic private and public key pairs used in DKIM authentication.

• Public Key: The DKIM public key is stored in the sender’s DNS (as a TXT record) and is used by receiving mail servers to verify DKIM signatures.
• Private Key: The DKIM private key is kept secure on the sender’s mail server and is used to generate and append the digital signature to each outgoing message as a part of the DKIM header.

How Does DKIM Work?

During the DKIM authentication process, the sender’s domain generates a pair of cryptographic keys, and when an email is sent, the sending server (MTA) adds a DKIM signature to the message header using the private key. This signature includes a hash value of selected parts of the email.

The sender’s domain publishes the corresponding public key in a DNS record. Upon receiving the email, the recipient’s server retrieves the DKIM signature from the header, queries the DNS for the public key, and uses it to decrypt the signature’s hash value. The receiving server then independently calculates its own hash value from the received email’s headers and body. It compares this recalculated hash with the decrypted hash from the signature. If the two hash values match, the signature is valid, confirming the email is authentic, hasn’t been altered, and was sent from the listed domain, thus protecting against forgery and tampering.

How Do I Know DKIM is Working?

To verify that DKIM is indeed working for your domain, you can use a DKIM check to verify your configuration. Try using our free DKIM checker tool here. Additionally, monitor DMARC aggregate reports, which provide insights into DKIM authentication results for emails claiming to be from your domain. Checking DNS query logs for your DKIM records can also indicate how frequently receiving servers are fetching your public key.

What is a DKIM record?

A DKIM record is a set of machine-level instructions published as a TXT record in your domain’s DNS settings. It contains the public key corresponding to the private key used for signing. This record tells the internet that messages claiming to be from your domain can be verified using this key, allowing mail servers to confirm that a message has not been altered en route to its destination and originates from an authenticated source.

DKIM signature

A DKIM signature is a cryptographic signature added to the header of an email message that verifies its authenticity and ensures it has not been tampered with during transit. It is generated using the private key and verified using the public key found in the DKIM record.

DKIM selector

DKIM selector is a unique identifier used to specify which DKIM key pair was used to sign the message, allowing domains to manage multiple keys (e.g., for different sending services). An alphanumeric string value that is defined in the s= tag in your DKIM email header, the selector should be distinguishable and different for every email vendor you use.

For example, in the DKIM record name s1._domainkey.domain.com, s1 is your selector.

DKIM Record Example

v=DKIM1;
k=rsa; p=MIGfMA0GCSqGSIb3DQEBA…
DKIM records can also include a ‘t=y’ tag, indicating the domain is in test mode; this should be used temporarily during initial setup and removed for full deployment.

What are the Benefits of DKIM

Businesses need DKIM to authenticate their outgoing emails and ensure their legitimacy. DKIM plays a pivotal role in bypassing Man-in-the-Middle (MITM) attacks and preventing unwarranted changes made to email content by third parties. It helps protect customer relationships and brand reputation by ensuring emails are trustworthy.

DKIM prevents message alterations

When you ask yourself, what is DKIM doing to prevent email fraud, get this: the digital signature is a failsafe. If the email has been intercepted and altered, the signature verification will fail because the recalculated hash won’t match the decrypted hash from the signature, so the email gets rejected or flagged as suspicious.

Minimize spoofing with a DKIM domain

An email sent by an attacker attempting to impersonate your domain won’t have a valid signature generated with your private key. It will fail the DKIM authentication check, which is yet another insight into what DKIM is protecting your organization against.

View the latest email fraud statistics here.

DKIM reduces email spam

What is DKIM popularly known for is a reduction in spam emails. Configuring DKIM properly increases the trustworthiness of your emails, greatly reducing the chances of your legitimate messages ending up in the spam folder, especially beneficial for email marketing campaigns.

DKIM boosts email deliverability

Moreover, when you set up DKIM, it improves your sender reputation as a verified source in the eyes of Internet Service Providers (ISPs), customers, partners, and other receiving services. This contributes to better email deliverability and helps generate revenue by ensuring important communications reach their intended recipients. Email deliverability, the ability of an email to reach the recipient’s inbox rather than being marked as spam or bouncing, is critical for marketing and communication. Key metrics like bounce rates, open rates, click-through rates, and spam complaints help gauge engagement. Poor deliverability can lead to wasted marketing investment, listings on blocklists like Spamhaus, and impact customer service. Mailbox providers increasingly focus on user engagement signals (opens, clicks, replies, complaint rates) to filter emails, underscoring the need for high deliverability. Successfully delivered emails through DKIM verification contribute to higher click-through and open rates, potentially leading to increased conversions and sales.

What are the limitations of DKIM?

DKIM is extremely important for message authentication and integrity, however, it is not perfect. Here are some of its limitations:

• DKIM doesn’t authenticate the sender (the “From” address) visible to the end-user directly against the signing domain in all cases (this alignment check is part of DMARC). It primarily authenticates that the email was authorized by the domain found in the DKIM signature (d= tag) and hasn’t been altered. So if someone gains unauthorized access to a legitimate account or server, they can send DKIM-signed emails from your domain.
• DKIM relies on correct DNS record publication and retrieval. If your public DNS records aren’t set up correctly, are misconfigured, or experience propagation delays, this can lead to DKIM authentication failures even for legitimate emails.
• DKIM alone doesn’t dictate policy for what happens if authentication fails. It just provides a pass/fail result. It doesn’t inherently stop spam or phishing attempts—it makes forgery harder. Therefore pairing it up with DMARC, which uses DKIM (and/or SPF) results to enforce policy, is extremely essential for comprehensive protection.

Furthermore, implementing DKIM can present practical challenges, including technical complexity requiring expertise in key management and DNS configuration, potential email deliverability issues if misconfigured, difficulties in managing keys at scale, and ensuring compatibility with third-party email sending services.

Pairing up DKIM with DMARC

There’s no point in comparing DKIM vs DMARC when pairing DKIM with DMARC (and SPF) is ideal for well-rounded protection while ensuring smooth email deliverability! If you use both, DMARC leverages DKIM’s authentication results (along with SPF’s) and adds alignment checks plus policy enforcement (like rejecting or quarantining failures), making it much harder for spoofed emails to reach the inbox. This helps avoid getting blacklisted by spam filters, meaning your legitimate emails will get delivered more reliably.

In addition, using DKIM and DMARC together helps protect your brand—spammers often try to spoof domains they think will be less likely to report them as spam. But if the domains they’re spoofing actually have DKIM set up and a DMARC policy in place, it’ll make it significantly harder for them to get away with their trickery and protects your domain’s reputation.

The beauty of pairing them up is that they work together seamlessly to provide multiple layers of protection against spoofing attempts while giving senders control and visibility (through DMARC reports) over how their mail is handled and authenticated across the internet.

Enable DKIM with PowerDMARC

PowerDMARC empowers domain owners to easily set up DKIM along with SPF and DMARC, providing hands-on monitoring and reporting features. This helps them stay on top of authentication results and errors at all times, ensuring deliverability while actively combating cyberattacks.

Our platform is easy to use for businesses of all sizes and can handle multiple domains and large volumes of email traffic. We provide an effective DKIM solution paired with several other essential email authentication protocols for 360-degree protection against email fraud.

Get your DKIM and DMARC setup in just minutes with PowerDMARC!

Frequently Asked Questions on DKIM

How to setup DKIM?

To set up DKIM, you need to generate a private key and a corresponding public key pair, often using a tool like a DKIM record generator or through your email service provider. It is recommended to use DKIM keys of at least 1024 bits, with 2048-bit keys being preferable for stronger security. Regularly rotate your DKIM keys and consider using unique keys for different sending services or clients. Ensure that the digital signature’s expiration period, if set, is longer than the key’s rotation period, and remember to revoke old keys. Then, configure your sending mail server(s) to sign outgoing emails with the private key and publish the public key as a DNS TXT record under a specific selector name for your domain (e.g., selector._domainkey.yourdomain.com).

How to check your DKIM record?

To check your DKIM record, you can use our free DKIM checker tool. Simply enter your domain name and the specific DKIM selector you want to check (if known), and it will query the DNS and report whether the DKIM record is properly formatted, published, and retrievable, or if any issues are detected.

What is different between SPF and DKIM?

While both are email authentication protocols used by DMARC, SPF (Sender Policy Framework) focuses on authorizing which IP addresses are allowed to send email *for* a domain, verifying the message’s path. DKIM focuses on verifying the email’s *content integrity* and confirms the message was authorized by the domain owner via a cryptographic signature, verifying the message’s origin and ensuring it wasn’t altered. DKIM signatures survive forwarding, whereas SPF often breaks during forwarding.

Can I use the same DKIM key for multiple domains?

No, you cannot use the same DKIM key pair for multiple distinct domains. Each domain requires its own unique DKIM key pair (private key for signing, public key published in that domain’s DNS). This ensures that the DKIM signatures are domain-specific and maintains the security and integrity of email authentication for each individual domain. You can, however, use the same key pair for different selectors *within* the same domain if needed, though separate keys per sending service are common.

Read more

Does Office 365 use DKIM?

Yes, Microsoft 365 (formerly Office 365) supports and uses DKIM. By default, Microsoft 365 uses a shared DKIM configuration for initial domains, but it is strongly recommended to configure custom DKIM signing for your own domain(s) by generating the necessary CNAME records in your DNS as instructed by Microsoft, which allows them to manage the keys and signing process.

Can I use DMARC without DKIM?

Technically yes, you can implement DMARC using only SPF for authentication. However, this is highly *not* recommended. DMARC relies on either SPF or DKIM (or both) passing and aligning. Relying only on SPF makes your authentication fragile, as SPF often fails during indirect mail flows (like forwarding). Implementing both SPF and DKIM provides redundancy and much more robust authentication coverage needed for DMARC to function effectively.

Do I need DMARC if I have DKIM implemented?

While DKIM provides crucial message integrity verification and authentication, it doesn’t tell receiving servers what to *do* if the check fails, nor does it verify that the signing domain aligns with the user-visible “From” domain. A DMARC policy adds this essential layer: it checks for alignment between the DKIM signing domain (d=) and the “From” domain, specifies whether to quarantine or reject messages that fail authentication and alignment, and provides reporting on authentication results. Combining DKIM (and SPF) with DMARC yields significantly better email security, brand protection, and deliverability.

What are DomainKeys Identified Mail issues?

Common DKIM issues include: incorrect DNS record syntax or publication; using the wrong selector; private key compromise or mismatches with the public key; key rotation problems (expired keys); message modifications by intermediate servers (like mailing lists) breaking the signature; misalignment between the DKIM signing domain and the From: header domain (which impacts DMARC); and lack of DKIM support or misconfiguration by third-party sending services. Each of these problems can result in DKIM authentication failures and negatively impact email deliverability.

How long does it take to set up a DKIM record?

Generating the keys and configuring the mail server might take minutes to hours depending on the system. Publishing the DKIM public key record in your DNS is usually quick, but it can take anywhere from a few minutes up to 48-72 hours for the DNS changes to fully propagate across the internet, depending on your DNS provider and TTL settings. Post-setup, ongoing monitoring (ideally via DMARC reports) is recommended to ensure DKIM continues to function correctly.

What happens when the DKIM fails?

When a DKIM check fails for an email, it indicates either the message was tampered with in transit or it wasn’t properly signed by the claimed sending domain. Receiving servers may treat the email with suspicion, potentially flagging it as spam or junk. If a DMARC policy is published for the domain and the failure also leads to DMARC failure (due to no passing/aligned SPF either), the email may be quarantined or rejected entirely based on the policy (p=quarantine or p=reject). Implementing SPF provides a fallback authentication mechanism.

Do I Need SPF and DKIM?

While SPF and DKIM are independent protocols that can authenticate emails on their own to some extent, using *both* is the industry best practice and strongly recommended for robust email authentication. They address different aspects (sender IP vs. message integrity/origin). Implementing SPF, DKIM, and DMARC together creates a powerful framework that significantly boosts your defenses against spoofing, phishing attacks, improves deliverability, and protects your domain’s reputation.