IPFYI
📧 Email Deliverability 5 min read

DKIM Explained

How DKIM signs outgoing emails with cryptographic keys to verify message integrity.

What Is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, allowing the receiving server to verify that the message was sent by an authorized server and wasn't modified in transit.

How DKIM Works

Signing (Outgoing)

  1. Your mail server generates a hash of the email headers and body
  2. The hash is encrypted using your domain's private key
  3. The encrypted signature is added as a DKIM-Signature header

Verification (Incoming)

  1. The receiving server reads the DKIM-Signature header
  2. It fetches your public key from DNS (selector._domainkey.example.com)
  3. It decrypts the signature and compares it with its own hash of the message
  4. If they match, the email passes DKIM

The DKIM-Signature Header

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
    h=from:to:subject:date:message-id;
    bh=...base64-body-hash...;
    b=...base64-signature...;

Key fields: - v — Version (always 1) - a — Signing algorithm (rsa-sha256 recommended) - d — Signing domain - s — Selector (identifies which key pair to use) - h — Headers included in the signature - bh — Body hash - b — The signature itself

DNS Record

The public key is published as a TXT record:

selector1._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGf...public-key..."

Key Rotation

Periodically rotate your DKIM keys to limit the impact of a key compromise:

  1. Generate a new key pair with a new selector (e.g., selector2)
  2. Publish the new public key in DNS
  3. Configure your mail server to sign with the new key
  4. Keep the old public key in DNS for a transition period (to verify in-flight emails)
  5. Remove the old DNS record after the transition

DKIM + SPF + DMARC

DKIM works alongside SPF and DMARC:

  • SPF verifies the sending server is authorized
  • DKIM verifies the message integrity and sender domain
  • DMARC ties SPF and DKIM together with a policy for handling failures

All three should be configured for maximum email deliverability and security.

Checking DKIM

# Look up DKIM public key
dig +short selector1._domainkey.example.com TXT

# Test by sending an email to:
# [email protected] (returns authentication results)

See Also

ARP Glossary FTP Glossary HTTP Glossary ICMP Glossary IMAP Glossary NTP Glossary POP3 Glossary SMTP Glossary TCP vs UDP Compare HTTP vs HTTPS Compare HTTP/2 vs HTTP/3 Compare IMAP vs POP3 Compare