What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is a method of email authentication that allows senders to prevent email content from being altered during the delivery process.

It’s based on public key cryptography, and it works by adding a digital signature to the message header. When the receiver gets an email with DKIM, they check the digital signature to make sure it is valid. If it is, then they know the message has remained unaltered during the transfer.

How Does DKIM Work?

How Does DKIM Work?

During the DKIM authentication process, the sender’s domain generates a pair of cryptographic keys, and when an email is sent, the sending server adds a DKIM signature to the message header using the private key. 

The sender’s domain publishes the public key in a DNS record. Upon receiving the email, the recipient’s server retrieves the DKIM signature, queries the DNS for the public key, and verifies the signature’s integrity by comparing it to a computed hash of the email’s headers and body. If the signature is valid, the email is considered authentic and unaltered, protecting against forgery and tampering.

What is a DKIM record?

A DKIM record is a set of machine-level instructions that are added to your DNS settings, and it tells the internet that the messages are coming from an authenticated source, allowing mail servers to verify that a message has not been altered en route to its destination.

DKIM signature

A DKIM signature is a cryptographic signature added to the header of an email message that verifies its authenticity and ensures it has not been tampered with during transit.

DKIM selector

DKIM selector is a unique identifier for a DKIM signing domain. An alphanumeric string value that is defined in the s= tag in your DKIM email header, the selector should be distinguishable and different for every email vendor you use.

For example, in the DKIM record s1._domainkey.domain.com, s1 is your selector.

DKIM Record Example


Why do you need DKIM?

Businesses need DKIM to authenticate their outgoing emails and ensure their legitimacy. DKIM plays a pivotal role in bypassing MITM attacks and unwarranted changes made to email content by third parties.

DKIM prevents message alterations

DKIM prevents message alterations

When you ask yourself, what is DKIM doing to prevent email fraud, get this: the digital signature is a failsafe that cannot be decrypted if the email has been intercepted and altered, so the email gets rejected.

DKIM minimizes domain spoofing

DKIM minimizes domain spoofing

An email sent by an attacker through your domain won’t have your private signature on it, and it will fail to authenticate, which is yet another insight into what is DKIM protecting your organization against.

View the latest email fraud statistics here.

DKIM reduces email spam

DKIM reduces email spam

What is DKIM popularly known for is a reduction in spam emails. Configuring DKIM will greatly reduce the chances of your email ending up in the spam folder, especially with an email marketing campaign.

DKIM boosts email deliverability

DKIM boosts email deliverability

Moreover, when you set up DKIM, it improves your reputation as a verified source in the eyes of customers, partners, and other services.

How does DKIM prevent spoofing?

DKIM prevents email spoofing by adding a special signature to the email. This signature acts like a digital fingerprint that verifies the email came from the claimed sender and hasn’t been changed along the way. By confirming the signature matches the email’s contents, DKIM helps ensure that emails are genuine and not forged by a malicious party pretending to be someone else.

What are the limitations of DKIM?

DKIM is extremely important for message authentication, however, it is not perfect. Here are some of its limitations:

  • DKIM doesn’t authenticate the sender of an email. It only authenticates the sender’s domain name. So if someone has access to your email account, they can send emails in your name even if you have DKIM enabled!

  • DKIM requires public DNS records for verification. If your public DNS records aren’t set up correctly or if they don’t match what’s in your private DNS records (which is often the case for small businesses), this can lead to DKIM fail!

  • DKIM doesn’t stop spam or phishing attempts on its own—it just makes them harder for bots to do successfully because they’ll need access to your private keys first before they can forge them correctly. Therefore pairing it up with DMARC is extremely essential.

Errors and Limitations
Pairing up DKIM with DMARC

Pairing up DKIM with DMARC

Pairing DKIM with DMARC is ideal for well-rounded protection while ensuring smooth email deliverability! If you use both of them, you’re more likely to avoid getting blacklisted by spam filters, which means your emails will get delivered to your recipients. 

In addition, using both protocols helps protect your brand—spammers often try to spoof domains they think will be less likely to report them as spam. But if the domains they’re spoofing actually have DKIM set up, it’ll make it harder for them to get away with their trickery.

The beauty of pairing them up is that they work together seamlessly to provide multiple layers of protection against spoofing attempts while giving senders options on how they want their mail handled in case something goes wrong during the delivery process.

Enable DKIM with PowerDMARC

PowerDMARC empowers domain owners to set up DKIM along with hands-on monitoring, that helps them stay on top of errors at all times, ensuring deliverability, while actively combatting cyberattacks. 

Our platform is easy to use for businesses of all sizes and can handle multiple domains and large volumes of email traffic. We provide an effective DKIM solution paired with several other essential email authentication protocols for 360-degree protection against email fraud. 

Get your DKIM and DMARC setup in just minutes with PowerDMARC!

Frequently Asked Questions on DKIM

To set up DKIM, you need to generate a private key and a corresponding public key, on your mail server with a DKIM record generator. Then, configure your server to sign outgoing emails with the private key and publish the public key as a DNS TXT record for your domain.

To check your DKIM record, you can use our free DKIM checker tool. Simply enter your domain name or the specific DKIM selector you want to check and it will report whether the DKIM record is properly set up or if any issues are detected.

While both are email authentication protocols, SPF focuses on authorizing the domain’s IP address, while DKIM focuses on verifying the email’s integrity and origin.

No, you cannot use the same DKIM key for multiple domains. Each domain requires its own unique DKIM key pair. This ensures that the DKIM signatures are domain-specific and maintains the security and integrity of email authentication for each individual domain. Read more

Yes, Office 365 supports DKIM. You can configure DKIM signing for your Office 365 domain by generating the necessary DKIM keys and publishing the public key as a DNS TXT record for your domain.

While DKIM is not a mandatory requirement for DMARC (Domain-based Message Authentication, Reporting, and Conformance) implementation, it is highly recommended.

While DKIM provides email authentication on its own, a DMARC analyzer adds an additional layer of control and reporting. While DKIM is not a prerequisite for DMARC, combining DKIM with DMARC yields better email security and visibility into email authentication practices.

Want to boost your security with a DKIM record? Get in touch with a specialist today!