Domain Keys Identified Mail (DKIM) is an email authentication method that lets an organization take responsibility for a message that was sent. It uses public-key cryptography to digitally “sign” emails, proving to recipients that the message was sent by the domain owner. Receivers can check the signature against their domain’s published public key to verify the signature.

This article will examine DKIM in detail and will give you an overview of how this email authentication method works.

What is DKIM Signature?

DKIM stands for DomainKeys Identified Mail. It is an email authentication system that provides integrity and non-repudiation by using cryptographic signatures. It along with DMARC can help build a robust spoof-protection infrastructure for your emails. 

The DKIM protocol creates a cryptographic signature for each message sent to recipients, as well as a domain signature that is added to the message header.

This signature is used by the receiver to verify that the message was actually sent by the domain owner and not someone else. It also verifies that the message has not been tampered with along its journey from sender to receiver.

If it does not match, then either:

  1. The message was altered during transmission, or
  2. The message is being sent on behalf of someone else who has access to the sending server’s private key

In such cases of mismatched signatures, DKIM will prevent those emails from being delivered to their intended recipients because they won’t be able to validate them as legitimate messages from your brand.

How does a DKIM Signature work?

DKIM signatures work by inserting a digital signature into the header of an email. This signature can be verified by the receiving server and used to determine whether or not an email has been tampered with during transit.

DKIM uses public-key cryptography, which relies on a pair of keys: one private and one public. The public key is distributed to anyone who wants it, while the private key is kept secret (usually by the owner).

When you sign an email using DKIM, your private key is used to create a hash of the message’s content and then encrypt that hash with the receiver’s public key. This encrypted hash is then inserted into the header of your message, where it can be validated by the receiver.

The Keys of DKIM Signature

DKIM signatures are generated using two cryptographic keys, one public and one private. The public key is published in DNS, while the private key is kept secret.

When an email is signed, the private key is used to generate a hash of the message. This hash is then encrypted with the public key and sent along with the message itself.

When the recipient receives this information, they use their private key to decrypt the hash and verify that it matches the original content of the message.

The Parts of DKIM Signature

A DKIM signature consists of two parts: a header and the body. The header contains information about the sender’s identity, including their email address and public key. The body contains the actual message that was sent.

  1. To calculate a DKIM signature, you first take an MD5 hash of your domain name (for example, “”), which is your public key.
  2. Then, you concatenate your domain name with an SHA1 hash (for example, “sha1(”) and append it to the original message that was sent.
  3. You then take another MD5 hash of this combined string (for example, “md5(sha1(”) and attach it as a header at the beginning of your message before sending it out for delivery.

Steps Involved in DKIM Signing

Getting started with DKIM:

  1. The first step is to create a private key, which is used to sign the message.
  2. The second step is to create a public key, which is used when verifying the signature.
  3. The third step is to generate two DNS TXT records: one for the public key, and another for the selector name.
  4. The fourth step is to publish these records in your DNS zone file.

Steps involved in DKIM signing:

1. The sender generates a message with a unique identifier called a cryptographic hash function (usually SHA-256). This unique identifier is called a DKIM-Signature header field and contains information about who signed it and when they did so.

2. The sender adds additional header fields to the message that contain information about:

  • how long the message should be considered valid for
  • how often the signature should be re-checked for validity
  • whether signatures should be validated using an external service such as SPF (Sender Policy Framework)
  • what keys were used to sign this message

3. Finally, recipients who want to verify these signatures will use their copy of their sender’s public key from their DNS records or an intermediate service such as SenderID or Mailgun, then use it to validate any messages with DKIM headers attached.

Understanding The Tags Used in the DKIM Signature

This is an example of how a DKIM signature record might look:

DKIM-Signature: v=1;









v= This tag tells us the version of the DKIM.

a= This specifies the algorithm used by the signer to generate its public key. It can be one of RSA1_5, RSA-SHA1, or RSASSA-PSS. If this tag is missing, then RSA-SHA1 is assumed.

c= It specifies the canonicalization algorithm used to generate hashes from header fields as required by [BCP14]. This is followed by a comma-separated list of 1 or more canonicalization algorithms (e.g., “c=relaxed”). If this tag is omitted, then relaxed canonicalization is assumed.

d= It specifies which domain name should be used when generating signatures for messages sent out by this server (or another recipient).

s= The “s” tag is the selector string, which is used by a receiving server to determine what public key should be used to verify the signature.

t= The timestamp tag is used to record when the signature was created and is typically represented as a Unix timestamp (the number of seconds since January 1, 1970).

bh= This tag represents the body hash, which is an encrypted version of your message’s contents (including headers). This helps prevent tampering with messages after they’ve been signed by DKIM and before they reach their intended recipients.

h= The header hash value contains all headers in their entirety (including those signed by Sender Policy Framework or DomainKeys Identified Mail) except for those that have been explicitly excluded by including them in an exclude list. This value must be calculated using SHA-1 or MD5.

b= The “b” tag is the base64-encoded representation of a cryptographic hash function on the canonicalized body of the message (ie., after MIME encoding has been removed).

Generating a DKIM Signature

  1. Generate a public and private key.
  2. Generate a DKIM header and footer.
  3. Sign the email content with your private key using the selected algorithm, for example, RSA-SHA256 or RSA-SHA512
  4. Compress the message using the selected algorithm, for example, deflate or none.
  5. Insert the DKIM headers at the beginning of the message before any MIME headers.
  6. Insert the DKIM footer after any MIME footers.

Ensuring The Validity of DKIM Signature

Some steps can be taken to ensure that the DKIM signature is valid:

  1. Determine if you want to use a traditional DKIM signing algorithm or an optimized one.
  2. Compute a hash value for your message’s header and body (this would typically be SHA-256).
  3. Choose an appropriate signing algorithm (like RSA or ECDSA).
  4. Verify that your public key matches the selector you specified earlier in Step 1 (this is done by using DNS).
  5. Sign your message using your private key and store it as an ASCII string in Base64 format within the header of your email message (in addition to placing it into DNS).

Verifying a DKIM Signature

DKIM Signature verification is complicated. It requires a lot of expertise to set up and maintain, and it’s often used in conjunction with other systems like SPF, which are also complicated.

As a result, most email marketers use a DKIM signature verification tool such a DKIM record checker to check their DKIM signatures. This tool checks the DKIM keys that have been added to an email and verifies them against a public database. If the keys are valid and trusted, then the email can be considered legitimate.

This is important for several reasons: firstly, it ensures that your emails aren’t flagged as spam by ISPs or ISPs’ customers; secondly, it allows you to avoid having your domain blacklisted by other domains (this is called domain poisoning); finally, it helps ensure that your emails don’t get caught up in any kind of man-in-the-middle attack.


DKIM is a promising solution that allows an organization to validate the legitimacy of emails, especially those from outside senders. When applied consistently across a messaging environment, it provides recipients with a high degree of confidence that an email was sent by an authorized representative of the sender’s domain. However it is important to note that while DKIM provides a verification mechanism, it isn’t enough to protect against email fraud attacks like spoofing and phishing. For that a DMARC policy as reject is mandatory. 

Need Help?

Email authentication is a necessary part of any business’s digital marketing strategy. With so many emails being sent and received every day, it’s easy for your brand to get lost in the shuffle. But with email authentication services from PowerDMARC, you can ensure that your emails are seen by the right people. 

Our email authentication solution will help you:

  • Increase email deliverability by verifying your domain name and DKIM signature
  • Enhance your brand image by showing recipients that you are a legitimate business
  • Improve overall customer experience by making sure they see only legitimate messages from you

If you have tried to validate your DKIM record with DKIM record lookup, you need to specify your DKIM selector. In this blog we will discuss the various ways for how to find it for your domain. DKIM, or DomainKeys Identified Mail is your standard email authentication protocol that makes use of cryptography to authenticate your messages. DKIM exists in your DNS as a DNS TXT record that you can easily generate using our free DKIM record generator, and subsequently published in your domain’s DNS to configure the protocol for your domain.

What is a DKIM Selector?

You can spot the DKIM selector for your domain as an “s=” tag in your DKIM signature header. It is a string variable that helps in pointing towards the DKIM public key in your domain’s DNS while authenticating your messages using DKIM authentication protocol. The receiving MTA authenticates your outbound messages by matching the private key assigned to your email, against the public key in your DNS to check for the legitimacy of the email.

Your selector is a unique identifier and has to be different for different email exchange services or vendors you are using.

How to Find DKIM Selector using Test Mail?

You can find your selector using the following 3 steps:

1) Send a test mail to your gmail account
2) Click on the 3 dots next to the email in your gmail inbox

3) Select “show original”

4) On the “Original Message” page navigate to the bottom of the page to the DKIM signature section and try to locate the “s=” tag, the value of this tag is your DKIM selector.

In the above example, s1 is my DKIM selector. This is one of the methods you can use to identify and locate yours.

DKIM Selector Examples

If your Hostname is (i.e. your record is published on this subdomain), s1 is your selector. You can configure any selector of your choice, it can be an alphanumeric value, and may contain hyphens where the hyphen cannont be the first character. Here are a few DKIM selector examples:

How to Find DKIM Selector with PowerDMARC

Alternatively, you can sign up with PowerDMARC to be on your free DMARC analyzer trial and enable DMARC reporting for your domain. Here you can easily locate and identify the DKIM selectors for each of your sending sources in the DMARC aggregate reports view. This way you no longer have to manually send yourself test mails to search for it every time.

1) On the PowerDMARC control panel, go to DMARC aggregate reports and your desired view. For this example I am working with the “Per sending source” view
2) Cascade the row of the sending source for which you want to view your DKIM selector
3) Cascade the row of the sender hostname
4) You will now be able to find the selector under the DKIM verification box, as shown below:

Once you have found out your DKIM selector you can freely perform DKIM record check to configure errors in your DKIM record and resolve issues. Hope this blog helped you find your DKIM selector. Get your free DMARC analyzer today to implement error-free SPF, DKIM and DMARC for your domain!

Before we get into how to setup DKIM for your domain, let’s talk a bit about what is DKIM. DKIM, or DomainKeys Identified Mail, is an email authentication protocol that is used for verifying the authenticity of outbound emails. The process involves using a private cryptographic key generated by your mail server which signs each outgoing email message. This ensures your recipients can verify that the emails they receive were sent from your mail server and are not forged. This can improve deliverability and help weed out spam. To place it simply an email from a DKIM enabled mail server contains a digital signature or more correctly, a cryptographic signature, which can be validated by the receiver’s email server.

DKIM was created by combining existing technologies like DomainKeys (from Yahoo) and Identified Internet Mail (from Cisco). It has developed into a widely adopted authentication method, which is known as DKIM and it is also registered as an RFC (Request for Comments) by the IETF (Internet Engineering Task Force). All major ISPs like Google, Microsoft and Yahoo create a digital signature that is embedded in the email header of outgoing emails and validate incoming mail with their own policies.

In the blog we are going to delve into the mechanism used in DKIM to validate your emails and its various advantages, as well as learn about how to setup DKIM for your own domain.

How to Setup DKIM to Protect Your Domain from Spoofing?

The DKIM signature is generated by the MTA and is stored in the list domain. After receiving the email, you can verify the DKIM by using the public key. DKIM as an authentication mechanism that can prove the identity of a message. This signature proves that the message is generated by a legitimate server.

This is especially required since domain spoofing attacks are on the rise in recent times.

What is a DKIM Signature?

In order to use DKIM, you need to decide what should be included in the signature. Typically this is the body of the email and some default headers. You can’t change these elements once they’re set, so choose them carefully. Once you have decided what parts of the email will be included in the DKIM signature, these elements must remain unchanged to maintain a valid DKIM signature.

Not to be confused with DKIM selector, DKIM signature is nothing more than a consortium of arbitrary string values also known as “hash values”. When your domain is configured with DKIM, your sending email server encrypts this value with a private key that only you have access to. This signature ensures that the email you send has not been altered or tampered after it was sent. To validate the DKIM signature, the email receiver will run a DNS query to search for the public key. The public key will have been provided by the organization that owns the domain. If they match, your email is classified as authentic.

How to Setup DKIM in 3 Easy Steps?

In order to implement DKIM easily with PowerDMARC all you need to do is generate your DKIM record using our free DKIM record generator. Your DKIM record is a DNS TXT record that is published in your domain’s DNS. Next you can conduct a free DKIM lookup, using our DKIM record lookup tool. This free tool provides a one-click DKIM check, ensuring that your DKIM record is error-free and valid. However, in order to generate the record, you need to first identify your DKIM selector.

How Do I Identify My DKIM Selector?

A common question often raised by domain owners is how do I find my DKIM? In order to find your DKIM selector, all you need to do is:

1) Send a test mail to your gmail account 

2) Click on the 3 dots next to the email in your gmail inbox

3) Select “show original” 

4) On the “Original Message” page navigate to the bottom of the page to the DKIM signature section and try to locate the “s=” tag, the value of this tag is your DKIM selector. 


A common question that you may often find yourself asking is whether implementing DKIM is enough? The answer is no. While DKIM helps you encrypt your email messages with a cryptographic signature in order to validate the legitimacy of your senders, it doesn’t provide a way for email receiver’s to respond to messages that fail DKIM. This is where DMARC steps in!

Domain-Based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that helps domain owners take action against messages that fail SPF/DKIM authentication. This in turn minimizes chances of domain spoofing attacks and BEC. DMARC along with SPF and DKIM can improve email deliverability by 10% over time and boost your domain reputation.

Sign up with PowerDMARC today to avail of your free DMARC analyzer trial today!