The role of DKIM public and private keys in email security

DMARC monitoring should be as routine as checking your inbox, says Adam Lundrigan, CTO of DuoCircle. The aggregate reports tell you exactly who sends email from your domain. If you’re not reading them, you’re flying blind on your own email security posture.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report

The role of DKIM public and private keys in email security

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-38153">
						<source src="https://media.mailhop.org/dmarcreport/images/2026/01/The-role-of-DKIM-public-and-private-keys-in-email-security.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M5S">2:05</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-38153" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-38153" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-38153" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-38153" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/the-role-of-dkim-public-and-private-keys-in-email-security/&t=The role of DKIM public and private keys in email security" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/the-role-of-dkim-public-and-private-keys-in-email-security/&url=The role of DKIM public and private keys in email security" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2026/01/The-role-of-DKIM-public-and-private-keys-in-email-security.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/the-role-of-dkim-public-and-private-keys-in-email-security/" class="input-link input-link-38153" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-38153" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-38153” readonly/>

					<button class="copy-embed copy-embed-38153" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

DKIM uses two keys to strengthen email authentication. If the same key were used to sign and verify emails, anyone could copy it and start sending fake messages. By separating the roles, DKIM ensures that:

• Only your mail server can sign emails (because only it has the private key)

• Anyone can verify emails (because the public key is openly available)

This is what prevents attackers from forging valid DKIM signatures.

How DKIM Public and Private Keys Work Together

Here’s how the full DKIM process works when an email is sent.

First, an email is created by a user or an application on your domain. Before the message leaves your mail server, DKIM looks at important parts of the email, such as the headers and the body. Next, the server generates a hash, which is a unique digital fingerprint of that email. Even changing one letter would create a completely different hash.

Then the private key signs this hash. This creates a digital signature, which is added to the email as a DKIM header. The email is now cryptographically tied to your domain. When the receiving mail server gets the email, it reads the **DKIM header and finds the selector, which tells it where to look in DNS for the public key.

The receiving server retrieves that public key from your DNS records, generates its own hash of the email, and checks whether the DKIM signature matches. If it does, the message passes DKIM.

That means two things are now proven:

• The email came from your domain
• The content was not modified on the way DKIM uses a private key to sign outgoing emails and a public key to verify authenticity, strengthening DMARCReport-based email security .

Why this matters for email security

Without DKIM, there is nothing stopping a cybercriminal from sending emails that appear to come from your domain. An attacker can easily copy your email address, your company name, and even your branding to create messages that look completely real. These fake emails can be used for phishing, payment fraud, or stealing login details. Since email servers cannot tell who actually sent the message, these emails often reach inboxes and trick recipients.

When DKIM is in place, every real email sent from your domain is signed using your private key. This signature is unique and cannot be copied or guessed by attackers. When a fake email is sent, it does not have access to your private key, so it cannot create a valid DKIM signature. The receiving mail server checks the signature using your public key and immediately knows the message is not legitimate.

This protects your brand because criminals cannot successfully pretend to be you. It also protects your customers and partners from being tricked by fake messages. Over time, inbox providers like **Gmail and Outlook learn that your domain sends properly authenticated email, which improves your reputation and helps more of your real messages reach the inbox instead of the spam folder.

**Final thoughts DKIM public and private keys may sound technical, but their role is simple: they **protect your domain’s identity in email. The private key signs every message, and the public key proves that the signature is real.

Together, they form one of **the most important layers of modern email security– quietly working in the background to keep your emails trusted, verified, and out of phishing territory.