What is DKIM? How Domain Key Authentication Works
DKIM stands for DomainKeys Identified Mail. It's a cryptographic standard that lets you sign your outgoing emails so receiving servers can verify that you sent them and that they haven't been modified in transit.
How DKIM works
When you enable DKIM, your mail server adds a header called DKIM-Signature to every outgoing message. This header contains a cryptographic signature that's been generated using a private key only your server knows about.
When your email arrives at the recipient's server, they look up your public key in DNS and verify the signature. If the signature is valid, they know the email came from you. If someone modified the body or certain headers, the signature won't verify anymore.
Here's what a real DKIM-Signature header looks like:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=google; h=mime-version:from:date:message-id:subject:to;
bh=ABC123DEF456GHI789...;
b=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAg
Let me break down the key parts:
d=example.comis the domain being authenticateds=googleis the selector (more on this in a moment)bh=is the body hashb=is the signature itself
What a selector is
The s= field in DKIM-Signature is called a selector. It's a label that namespaces your DNS key lookup.
Your public key lives at [selector]._domainkey.[domain] in DNS. With selector google, your key would be at google._domainkey.example.com.
Why does this matter? It lets you have multiple DKIM keys active at the same time. You might use google._domainkey for your Google Workspace mail, s1._domainkey for your SaaS's transactional email, and s2._domainkey for a marketing platform. They're all signing mail from example.com, but using different keys.
Here's a real DNS record for a DKIM key:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCq
4vq5PN5rZJL9lv4tgM6n5m9W0u8pZ5k8vZ9kL8pZ9kL8p
The v=DKIM1 says it's a DKIM record. The k=rsa says it uses RSA signing. The p= contains the public key.
What DKIM proves (and doesn't prove)
DKIM proves two things:
- The message was authorized by the domain owner (only someone with the private key could have signed it)
- The body wasn't modified in transit (the body hash still matches)
What DKIM does not prove: it doesn't verify the From: header domain. An attacker could sign an email with your DKIM key in the d= field but put someone else's address in the From: header.
That's where DMARC comes in. DMARC adds a policy layer that says "the From: domain must match the DKIM signing domain" (or SPF sending domain). It's the enforcement mechanism that makes DKIM useful for stopping spoofing.
DMARC alignment
For DKIM to satisfy DMARC, the domain in the DKIM-Signature d= field must match (or be an organizational parent of) the From: header domain.
If your From: header is noreply@example.com but your DKIM signature is signed by mail.example.com, DKIM passes, but DMARC alignment fails because the domains don't match.
This is one reason people sometimes get DKIM passing but DMARC failing. The signatures are cryptographically valid, but they're not aligned with what the recipient cares about.
Key rotation
You don't have to invalidate old keys when you want to use a new one. Instead:
- Generate a new public/private key pair
- Create a new selector (e.g.,
s2instead ofs1) - Add the new DNS record
- Update your mail server to sign with the new key
- After a few days, remove the old DNS record
This way, emails signed with the old key still verify (because the old record is still in DNS), but you're using the new key for all outgoing mail. Once you're confident nothing needs the old key anymore, delete the DNS record.
Checking your DKIM setup
You can verify your DKIM configuration using the Email Auth Checker. It will look up your public key and show you what's configured for each selector on your domain.
If you're moving to DMARC enforcement, you'll want DKIM working alongside SPF before you switch from p=none to p=quarantine or p=reject. Read more about the full picture in what DMARC alignment means.
Use the Email Auth Checker to see what your domain's DKIM configuration looks like today.
