What is DKIM and How Does DKIM Work?

DKIM is an effective way to ensure your emails are not tampered with while on their way to get delivered. Domain-based authentication methods and protocols are significantly effective against email-based cyber attacks, which have become increasingly common, especially with the rise of remote working. Email remains a dominant form of business communication but is also a primary vector for attacks like phishing, making robust verification crucial. DKIM is one such protocol designed to combat these threats.

It’s based on public key cryptography, and it works by adding a digital signature to the message header, typically signing headers like ‘From’, ‘To’, ‘Subject’, and ‘Date’. When the receiver gets an email with DKIM, they check the digital signature using the public key published in the sender’s DNS to make sure it is valid. If it is, then they know the message has remained unaltered during the transfer and genuinely originated from the claimed domain.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is an email authentication protocol that allows senders to prevent email content from being altered during the delivery process. Originally formed by merging DomainKeys (from Yahoo) and Identified Internet Mail (from Cisco) in 2004, DKIM has become a widely adopted technique.

It’s based on public key cryptography, and it works by adding a digital signature to the message header. When the receiver gets an email with DKIM, they check the digital signature to make sure it is valid. If it is, then they know the message has remained unaltered during the transfer. Leading providers like Google, Microsoft, and Yahoo check incoming mail for DKIM signatures.

What is a DKIM Header?

A DKIM header is a part of an email that contains the cryptographic DKIM signature. This signature is added by the sender’s mail server, specifically the Mail Transfer Agent (MTA), which creates a unique string of characters called a hash value based on the message content and headers. During the authentication process, the signature field in the DKIM header helps verify the authenticity of outbound messages. It helps receivers confirm that the email is genuine and comes from a legitimate sender.

What are DKIM Keys?

DKIM keys are cryptographic private and public key pairs used in DKIM authentication.

• Public Key: The DKIM public key is stored in the sender’s DNS (as a TXT record) and is used by receiving mail servers to verify DKIM signatures.
• Private Key: The DKIM private key is kept secure on the sender’s mail server and is used to generate and append the digital signature to each outgoing message as a part of the DKIM header.

How Does DKIM Work?

During the DKIM authentication process, the sender’s domain generates a pair of cryptographic keys, and when an email is sent, the sending server (MTA) adds a DKIM signature to the message header using the private key. This signature includes a hash value of selected parts of the email.

The sender’s domain publishes the corresponding public key in a DNS record. Upon receiving the email, the recipient’s server retrieves the DKIM signature from the header, queries the DNS for the public key, and uses it to decrypt the signature’s hash value. The receiving server then independently calculates its own hash value from the received email’s headers and body. It compares this recalculated hash with the decrypted hash from the signature. If the two hash values match, the signature is valid, confirming the email is authentic, hasn’t been altered, and was sent from the listed domain, thus protecting against forgery and tampering.

How Do I Know DKIM is Working?

To verify that DKIM is indeed working for your domain, you can use a DKIM check to verify your configuration. Try using our free DKIM checker tool here.

What is a DKIM record?

A DKIM record is a set of machine-level instructions published as a TXT record in your domain’s DNS settings. It contains the public key corresponding to the private key used for signing. This record tells the internet that messages claiming to be from your domain can be verified using this key, allowing mail servers to confirm that a message has not been altered en route to its destination and originates from an authenticated source.

DKIM signature

A DKIM signature is a cryptographic signature added to the header of an email message that verifies its authenticity and ensures it has not been tampered with during transit. It is generated using the private key and verified using the public key found in the DKIM record.

DKIM selector

DKIM selector is a unique identifier used to specify which DKIM key pair was used to sign the message, allowing domains to manage multiple keys (e.g., for different sending services). An alphanumeric string value that is defined in the s= tag in your DKIM email header, the selector should be distinguishable and different for every email vendor you use.

For example, in the DKIM record name s1._domainkey.domain.com, s1 is your selector.

DKIM Record Example

v=DKIM1;
k=rsa; p=MIGfMA0GCSqGSIb3DQEBA…

What are the Benefits of DKIM

Businesses need DKIM to authenticate their outgoing emails and ensure their legitimacy. DKIM plays a pivotal role in bypassing Man-in-the-Middle (MITM) attacks and preventing unwarranted changes made to email content by third parties. It helps protect customer relationships and brand reputation by ensuring emails are trustworthy.

DKIM prevents message alterations

When you ask yourself, what is DKIM doing to prevent email fraud, get this: the digital signature is a failsafe. If the email has been intercepted and altered, the signature verification will fail because the recalculated hash won’t match the decrypted hash from the signature, so the email gets rejected or flagged as suspicious.

Minimize spoofing with a DKIM domain

An email sent by an attacker attempting to impersonate your domain won’t have a valid signature generated with your private key. It will fail the DKIM authentication check, which is yet another insight into what DKIM is protecting your organization against.

View the latest email fraud statistics here.

DKIM reduces email spam

What is DKIM popularly known for is a reduction in spam emails. Configuring DKIM properly increases the trustworthiness of your emails, greatly reducing the chances of your legitimate messages ending up in the spam folder, especially beneficial for email marketing campaigns.

DKIM boosts email deliverability

Moreover, when you set up DKIM, it improves your sender reputation as a verified source in the eyes of Internet Service Providers (ISPs), customers, partners, and other receiving services. This contributes to better email deliverability and helps generate revenue by ensuring important communications reach their intended recipients.

What are the limitations of DKIM?

DKIM is extremely important for message authentication and integrity, however, it is not perfect. Here are some of its limitations:

• DKIM doesn’t authenticate the sender (the “From” address) visible to the end-user directly against the signing domain in all cases (this alignment check is part of DMARC). It primarily authenticates that the email was authorized by the domain found in the DKIM signature (d= tag) and hasn’t been altered. So if someone gains unauthorized access to a legitimate account or server, they can send DKIM-signed emails from your domain.
• DKIM relies on correct DNS record publication and retrieval. If your public DNS records aren’t set up correctly, are misconfigured, or experience propagation delays, this can lead to DKIM authentication failures even for legitimate emails.
• DKIM alone doesn’t dictate policy for what happens if authentication fails. It just provides a pass/fail result. It doesn’t inherently stop spam or phishing attempts—it makes forgery harder. Therefore pairing it up with DMARC, which uses DKIM (and/or SPF) results to enforce policy, is extremely essential for comprehensive protection.

Pairing up DKIM with DMARC

There’s no point in comparing DKIM vs DMARC when pairing DKIM with DMARC (and SPF) is ideal for well-rounded protection while ensuring smooth email deliverability! If you use both, DMARC leverages DKIM’s authentication results (along with SPF’s) and adds alignment checks plus policy enforcement (like rejecting or quarantining failures), making it much harder for spoofed emails to reach the inbox. This helps avoid getting blacklisted by spam filters, meaning your legitimate emails will get delivered more reliably.

In addition, using DKIM and DMARC together helps protect your brand—spammers often try to spoof domains they think will be less likely to report them as spam. But if the domains they’re spoofing actually have DKIM set up and a DMARC policy in place, it’ll make it significantly harder for them to get away with their trickery and protects your domain’s reputation.

The beauty of pairing them up is that they work together seamlessly to provide multiple layers of protection against spoofing attempts while giving senders control and visibility (through DMARC reports) over how their mail is handled and authenticated across the internet.

Enable DKIM with PowerDMARC

PowerDMARC empowers domain owners to easily set up DKIM along with SPF and DMARC, providing hands-on monitoring and reporting features. This helps them stay on top of authentication results and errors at all times, ensuring deliverability while actively combating cyberattacks.

Our platform is easy to use for businesses of all sizes and can handle multiple domains and large volumes of email traffic. We provide an effective DKIM solution paired with several other essential email authentication protocols for 360-degree protection against email fraud.

Get your DKIM and DMARC setup in just minutes with PowerDMARC!

Frequently Asked Questions on DKIM

How to setup DKIM?

To set up DKIM, you need to generate a private key and a corresponding public key pair, often using a tool like a DKIM record generator or through your email service provider. Then, configure your sending mail server(s) to sign outgoing emails with the private key and publish the public key as a DNS TXT record under a specific selector name for your domain (e.g., selector._domainkey.yourdomain.com).

How to check your DKIM record?

To check your DKIM record, you can use our free DKIM checker tool. Simply enter your domain name and the specific DKIM selector you want to check (if known), and it will query the DNS and report whether the DKIM record is properly formatted, published, and retrievable, or if any issues are detected.

What is different between SPF and DKIM?

While both are email authentication protocols used by DMARC, SPF (Sender Policy Framework) focuses on authorizing which IP addresses are allowed to send email *for* a domain, verifying the message’s path. DKIM focuses on verifying the email’s *content integrity* and confirms the message was authorized by the domain owner via a cryptographic signature, verifying the message’s origin and ensuring it wasn’t altered. DKIM signatures survive forwarding, whereas SPF often breaks during forwarding.

Can I use the same DKIM key for multiple domains?

No, you cannot use the same DKIM key pair for multiple distinct domains. Each domain requires its own unique DKIM key pair (private key for signing, public key published in that domain’s DNS). This ensures that the DKIM signatures are domain-specific and maintains the security and integrity of email authentication for each individual domain. You can, however, use the same key pair for different selectors *within* the same domain if needed, though separate keys per sending service are common.

Read more

Does Office 365 use DKIM?

Yes, Microsoft 365 (formerly Office 365) supports and uses DKIM. By default, Microsoft 365 uses a shared DKIM configuration for initial domains, but it is strongly recommended to configure custom DKIM signing for your own domain(s) by generating the necessary CNAME records in your DNS as instructed by Microsoft, which allows them to manage the keys and signing process.

Can I use DMARC without DKIM?

Technically yes, you can implement DMARC using only SPF for authentication. However, this is highly *not* recommended. DMARC relies on either SPF or DKIM (or both) passing and aligning. Relying only on SPF makes your authentication fragile, as SPF often fails during indirect mail flows (like forwarding). Implementing both SPF and DKIM provides redundancy and much more robust authentication coverage needed for DMARC to function effectively.

Do I need DMARC if I have DKIM implemented?

While DKIM provides crucial message integrity verification and authentication, it doesn’t tell receiving servers what to *do* if the check fails, nor does it verify that the signing domain aligns with the user-visible “From” domain. A DMARC policy adds this essential layer: it checks for alignment between the DKIM signing domain (d=) and the “From” domain, specifies whether to quarantine or reject messages that fail authentication and alignment, and provides reporting on authentication results. Combining DKIM (and SPF) with DMARC yields significantly better email security, brand protection, and deliverability.

What are DomainKeys Identified Mail issues?

Common DKIM issues include: incorrect DNS record syntax or publication; using the wrong selector; private key compromise or mismatches with the public key; key rotation problems (expired keys); message modifications by intermediate servers (like mailing lists) breaking the signature; and misalignment between the DKIM signing domain and the From: header domain (which impacts DMARC). Each of these problems can result in DKIM authentication failures and negatively impact email deliverability.

How long does it take to set up a DKIM record?

Generating the keys and configuring the mail server might take minutes to hours depending on the system. Publishing the DKIM public key record in your DNS is usually quick, but it can take anywhere from a few minutes up to 48-72 hours for the DNS changes to fully propagate across the internet, depending on your DNS provider and TTL settings. Post-setup, ongoing monitoring (ideally via DMARC reports) is recommended to ensure DKIM continues to function correctly.

What happens when the DKIM fails?

When a DKIM check fails for an email, it indicates either the message was tampered with in transit or it wasn’t properly signed by the claimed sending domain. Receiving servers may treat the email with suspicion, potentially flagging it as spam or junk. If a DMARC policy is published for the domain and the failure also leads to DMARC failure (due to no passing/aligned SPF either), the email may be quarantined or rejected entirely based on the policy (p=quarantine or p=reject). Implementing SPF provides a fallback authentication mechanism.

Do I Need SPF and DKIM?

While SPF and DKIM are independent protocols that can authenticate emails on their own to some extent, using *both* is the industry best practice and strongly recommended for robust email authentication. They address different aspects (sender IP vs. message integrity/origin). Implementing SPF, DKIM, and DMARC together creates a powerful framework that significantly boosts your defenses against spoofing, phishing attacks, improves deliverability, and protects your domain’s reputation.