What Is DKIM? How It Works and Why It Matters for Email Security
DKIM (DomainKeys Identified Mail) is a digital signature system that proves an email actually came from the domain it claims to be from and wasn't tampered with in transit. Without it, receiving mail servers have no way to verify your emails are legitimate โ and your messages are easier to spoof and more likely to land in spam.
The one-sentence explanation
DKIM works by adding a cryptographic signature to every outgoing email. The receiving server looks up your public key in DNS, verifies the signature, and confirms two things: the email came from an authorised source, and the content wasn't modified after it was sent.
How DKIM works (step by step)
You generate a key pair
A private key lives on your mail server. The matching public key is published as a DNS TXT record at a selector subdomain, e.g. google._domainkey.yourdomain.com.
Your mail server signs outgoing emails
For each outgoing email, your server creates a hash of specified headers and the body, then encrypts that hash using your private key. The result is added as a DKIM-Signature header on the email.
The receiving server verifies the signature
When Gmail, Outlook, or any receiving server gets your email, it reads the DKIM-Signature header, fetches your public key from DNS, and verifies the signature. If it matches, DKIM passes.
DMARC acts on the result
DKIM is one of two authentication signals DMARC uses (the other is SPF). If both fail and your DMARC policy is p=reject, the email is blocked before reaching the inbox.
DKIM vs SPF vs DMARC โ what each one does
| Standard | What it checks | What it protects against |
|---|---|---|
| SPF | Is the sending server authorised to send for this domain? | Forged envelope sender (used by spam filters) |
| DKIM | Was the email signed by a key matching the domain's DNS record? | Message tampering, header spoofing |
| DMARC | Does SPF or DKIM pass, and is the From domain aligned? | Domain spoofing, phishing, BEC โ the full picture |
DKIM and SPF each have blind spots on their own. DMARC combines them and adds the policy (none/quarantine/reject) that determines what actually happens to failing emails.
Key point: SPF can be bypassed by forwarded email (because the forwarding server isn't in your SPF record). DKIM survives forwarding because the signature is in the email headers โ not tied to the sending server's IP. This makes DKIM the more reliable signal for DMARC alignment.
How to check if DKIM is configured for your domain
DKIM records live at [selector]._domainkey.[yourdomain.com]. The selector is set by your email provider โ common ones:
- Google Workspace:
google._domainkey.yourdomain.com - Microsoft 365:
selector1._domainkey.yourdomain.comandselector2._domainkey.yourdomain.com - Mailchimp: varies โ typically listed in your Mailchimp account under Domains
- SendGrid:
s1._domainkey.yourdomain.com - Postmark:
20230601._domainkey.yourdomain.com(date-based)
You can verify by running: nslookup -type=TXT google._domainkey.yourdomain.com or using our free DMARC checker, which checks for DKIM alongside DMARC and SPF.
A valid DKIM record will look like: v=DKIM1; k=rsa; p=MIGfMA0G...
What happens if DKIM is missing or broken?
- Emails are more likely to be flagged as spam or phishing by receiving servers
- DMARC can only rely on SPF for alignment โ if the email is forwarded, both SPF and DMARC will fail
- Attackers can more easily forge emails from your domain without the signature being detectable
- Marketing and transactional emails from third-party tools (Mailchimp, Sendgrid) will show a "via" tag in Gmail instead of appearing as sent directly from your domain
Setting up DKIM for common email providers
Google Workspace
In Google Admin Console โ Apps โ Google Workspace โ Gmail โ Authenticate email โ Generate new record. Copy the TXT record to your DNS, then click Start authentication.
Microsoft 365
In the Microsoft 365 Defender portal โ Email & Collaboration โ Policies & Rules โ Threat Policies โ DKIM. Enable DKIM for your domain and add the two CNAME records it provides to your DNS.
Third-party senders (Mailchimp, SendGrid, etc.)
Each service has a domain authentication section in their account settings. They'll give you specific DNS records (usually CNAME records that point to their signing infrastructure) to add at your DNS provider.
Important: You need a separate DKIM setup for every third-party service sending email on behalf of your domain. A single DKIM key pair (from Google Workspace) won't cover emails sent via Mailchimp or SendGrid. Each sender needs its own authentication.
DKIM key rotation
DKIM private keys should be rotated periodically (at least annually, or immediately if you suspect a compromise). Microsoft 365 supports key rotation natively. For Google Workspace, you generate a new key, add it to DNS with a new selector, update your sending configuration, then remove the old DNS record after a TTL window.
Check your domain's DKIM, SPF, and DMARC in 10 seconds
Inbox Shield checks all three email authentication standards, grades your setup, and monitors weekly for any changes or regressions.
Check With Inbox Shield โ Free โGet security guides like this in your inbox
No spam. Unsubscribe any time.