Glossary · 3 min read

What Is DKIM (DomainKeys Identified Mail)?

Learn how DKIM uses cryptographic signatures to authenticate email, including selector records, public/private key pairs, and the verification process per RFC 6376.

What Is DKIM (DomainKeys Identified Mail)?

DKIM is an email authentication method that allows a sending domain to cryptographically sign outgoing messages, enabling receivers to verify that the message was not altered in transit and that it was authorized by the domain owner. DKIM is defined in RFC 6376 and is one of the three pillars of modern email authentication, alongside SPF and DMARC.

How DKIM Signing Works

When a mail server sends a message with DKIM enabled, it performs these steps:

  1. Canonicalization. The message headers and body are normalized to a standard format (either "simple" or "relaxed") to account for minor modifications during transit, such as whitespace changes.
  2. Hashing. The canonicalized body is hashed (typically SHA-256). Selected headers are also hashed.
  3. Signing. The hash is encrypted with the domain's private key, producing a digital signature.
  4. Header insertion. The signature is added to the message as a DKIM-Signature header, which includes metadata about the signing: the domain (d=), selector (s=), algorithm (a=), signed headers (h=), and the signature itself (b=).

The DKIM DNS Record

The public key used for verification is published as a DNS TXT record at selector._domainkey.domain.com. The selector is a label chosen by the domain owner, allowing multiple DKIM keys to coexist (e.g., for different mail services).

Example DNS record:

s1._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."
  • v=DKIM1 -- Version identifier.
  • k=rsa -- Key type (RSA is standard; Ed25519 is emerging).
  • p= -- The base64-encoded public key.

What Gets Signed

The DKIM-Signature header specifies which message headers are included in the signature via the h= tag. Commonly signed headers include From, To, Subject, Date, and MIME-Version. The body hash covers the entire message body (or a specified length via the l= tag, though using l= is discouraged for security reasons).

Critically, the From header is always signed. This is what enables DKIM alignment checks in DMARC.

Verification Process

When a receiving mail server encounters a DKIM-Signature header:

  1. It extracts the d= (domain) and s= (selector) values.
  2. It queries DNS for the TXT record at selector._domainkey.domain.
  3. It retrieves the public key from the p= tag.
  4. It re-canonicalizes the message headers and body using the method specified in the signature.
  5. It decrypts the signature using the public key and compares it to a freshly computed hash.
  6. If they match, the DKIM check passes. If not, it fails.

Key Rotation

DKIM keys should be rotated periodically. Because the selector is part of the DNS lookup, you can publish a new key under a new selector, update your mail server to sign with the new key, and leave the old selector in DNS until all messages signed with it have been delivered or expired.

Verify Your DKIM Configuration

A missing or incorrect DKIM record means receivers cannot verify your signatures, weakening your authentication posture and potentially affecting deliverability at Gmail, Outlook, and Yahoo. Use our DKIM verification tool to check that your public key is published and valid.

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.

More glossary terms

DNS Ports Explained

Understand which network ports DNS uses, including port 53 for standard queries, port 443 for DNS over HTTPS, and port 853 for DNS over TLS.

DNS Record Types: A Complete Reference Guide

A technical reference for all major DNS record types including A, AAAA, MX, CNAME, TXT, NS, SOA, PTR, SRV, and CAA. Includes example values and use cases.

How Do IP Addresses Work?

Understand how IP addresses work, including IPv4 vs IPv6 formats, public vs private addresses, static vs dynamic assignment, NAT, and CIDR notation.

SMTP Ports Explained: 25, 465, 587, and 2525

Understand the four SMTP ports, when to use each one, the difference between STARTTLS and implicit TLS, and why ISPs block port 25.

What Is DMARC?

Understand DMARC, how it builds on SPF and DKIM with alignment checks, policy options (none, quarantine, reject), and aggregate vs forensic reporting per RFC 7489.

What Is DNS (Domain Name System)?

Learn how the Domain Name System works, including recursive and iterative queries, root servers, caching, and TTL values. A technical overview referencing RFC 1035.

What Is Secure DNS (DoH and DoT)?

Learn about secure DNS protocols including DNS over HTTPS, DNS over TLS, and DNSSEC. Understand why standard DNS is insecure and how to protect your queries.

What Is a Domain Name?

Learn what a domain name is, how domains map to IP addresses via DNS, the difference between TLD types, and how subdomains, URLs, and hostnames relate.

What Is a Gateway IP Address?

Learn what a gateway IP address is, how default gateways route traffic between networks, and how to find your gateway address on any operating system.

What Is a Reverse Lookup?

Understand reverse lookups including reverse DNS (PTR records), reverse IP lookups, and reverse email lookups. Learn how each works, common use cases, and limitations.

What Is a Reverse Proxy?

Learn how reverse proxies work, the difference between forward and reverse proxies, and common use cases including load balancing, SSL termination, and caching.

What Is an Email Bounce?

Understand email bounces, the difference between hard and soft bounces, common SMTP error codes, and how bounces affect sender reputation.

What Is an Email Domain Name?

Learn what an email domain is, how the @domain.com part of email addresses works with MX records to route messages, and the difference between free and custom email domains.

What Is an SMTP Server?

Learn how SMTP servers work, the difference between MTA, MSA, and MDA, and how email is delivered hop by hop using the SMTP protocol defined in RFC 5321.

What Is an SPF Record?

Understand SPF records, how they authorize email senders, the TXT record format, and how receivers evaluate SPF results including pass, fail, and softfail.

What Is an SSL Certificate?

Learn how SSL/TLS certificates encrypt internet traffic, how the chain of trust works, the difference between DV, OV, and EV certificates, and why TLS replaced SSL.