---
title: "The role of DKIM public and private keys in email security | DMARC Report"
description: "The role of DKIM public and private keys in email security from DMARC Report explains practical steps for email authentication, domain protection."
image: "https://dmarcreport.com/og/blog/the-role-of-dkim-public-and-private-keys-email-security.png"
canonical: "https://dmarcreport.com/blog/the-role-of-dkim-public-and-private-keys-email-security/"
---
Quick Answer
DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report The role of DKIM public and private keys in email security
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fthe-role-of-dkim-public-and-private-keys-email-security%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20role%20of%20DKIM%20public%20and%20private%20keys%20in%20email%20security&url=undefined%2Fblog%2Fthe-role-of-dkim-public-and-private-keys-email-security%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fthe-role-of-dkim-public-and-private-keys-email-security%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fthe-role-of-dkim-public-and-private-keys-email-security%2F&title=The%20role%20of%20DKIM%20public%20and%20private%20keys%20in%20email%20security "Share on Reddit") [ ](mailto:?subject=The%20role%20of%20DKIM%20public%20and%20private%20keys%20in%20email%20security&body=Check out this article: undefined%2Fblog%2Fthe-role-of-dkim-public-and-private-keys-email-security%2F "Share via Email")
## Try Our Free DKIM Lookup
Auto-discover DKIM selectors for any domain - scan 185 common selectors across all major providers.
[ Discover DKIM Selectors → ](/tools/dkim-lookup/)
> DMARC monitoring should be as routine as checking your inbox, says Adam Lundrigan, CTO of DuoCircle. The aggregate reports tell you exactly who sends email from your domain. If you’re not reading them, you’re flying blind on your own email security posture.
DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report
The role of DKIM public and private keys in email security
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-38153” readonly/>
```
```
DKIM uses two keys to strengthen [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/). If the same key were used to sign and verify emails, anyone could copy it and start sending fake messages. By separating the roles, DKIM ensures that:
- Only your [mail server](http://what-is-a-mail-server/) can sign emails (because only it has the private key)
- Anyone can verify emails (because the public key is openly available)
This is what prevents attackers from forging valid [DKIM signatures](https://docs.mapp.com/docs/dkim-signature).
## How DKIM Public and Private Keys Work Together
Here’s how the full DKIM process works when an email is sent.
First, an email is created by a user or an application on your domain. Before the message leaves your mail server, DKIM looks at important parts of the email, such as the headers and the body. Next, the **server generates a hash**, which is a unique digital fingerprint of that email. Even changing one letter would create a completely different hash.
Then the private key signs this hash. This creates a [digital signature](https://en.wikipedia.org/wiki/Digital%5Fsignature), which is added to the email as a DKIM header. The email is now cryptographically tied to your domain. When the receiving mail server gets the email, it reads the \*\*DKIM header and finds the selector, which tells it where to look in DNS for the [public key](https://www.techtarget.com/searchsecurity/definition/public-key).
The receiving server retrieves that public key from your [DNS records](https://www.ibm.com/think/topics/dns-records), generates its own hash of the email, and checks whether the DKIM signature matches. If it does, the message passes DKIM.
That means two things are now proven:
- The email came from your domain
- The content was not modified on the way DKIM uses a private key to sign outgoing emails and a public key to **verify authenticity**, strengthening [DMARCReport](https://dmarcreport.com/)\-based email security .
## Why this matters for email security
Without [DKIM](https://dmarcreport.com/what-is-dkim/), there is nothing stopping a [cybercriminal](https://incyber.org/en/article/united-states-amounts-stolen-by-cybercriminals-up-33/) from sending emails that appear to come from your domain. An attacker can easily copy your email address, your company name, and even your branding to create messages that look completely real. These [fake emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) can be used for phishing, payment fraud, or stealing login details. Since email servers cannot tell who actually sent the message, these emails often reach inboxes and trick recipients.
When DKIM is in place, every real email sent from your domain is signed using your [private key](https://www.investopedia.com/terms/p/private-key.asp). This signature is unique and cannot be copied or guessed by attackers. When a fake email is sent, it does not have access to your private key, so it cannot create a valid DKIM signature. The receiving mail server checks the signature using your public key and immediately knows the message is not legitimate.
This protects your brand because criminals cannot successfully pretend to be you. It also protects your customers and partners from being tricked by fake messages. Over time, inbox providers like \*\*Gmail and Outlook learn that your domain sends properly authenticated email, which improves your reputation and helps more of your real messages reach the inbox instead of the [spam folder](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/).
## \*\*Final thoughts DKIM public and private keys may sound technical, but their role is simple: they \*\*protect your domain’s identity in email. The private key signs every message, and the public key proves that the signature is real.
Together, they form one of \*\*the most important layers of modern [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/), quietly working in the background to keep your emails trusted, verified, and out of phishing territory.
## Topics
[ dkim ](/tags/dkim/)[ email security ](/tags/email-security/)
[ Brad Slavin ](/authors/brad-slavin/)
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"The role of DKIM public and private keys in email security","description":"The role of DKIM public and private keys in email security from DMARC Report explains practical steps for email authentication, domain protection.","url":"https://dmarcreport.com/blog/the-role-of-dkim-public-and-private-keys-email-security/","datePublished":"2026-01-22T11:21:42.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-01-22T11:21:42.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/the-role-of-dkim-public-and-private-keys-email-security/"},"articleSection":"foundational","keywords":"dkim, email security","wordCount":908,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"The role of DKIM public and private keys in email security","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"The role of DKIM public and private keys in email security","item":"https://dmarcreport.com/blog/the-role-of-dkim-public-and-private-keys-email-security/"}]}
```