What is a DKIM record? A complete guide to setup, mistakes, and DMARC alignment

DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, General Manager of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report

What is a DKIM record? A complete guide to setup, mistakes, and DMARC alignment

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-30582">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/08/What-is-a-DKIM-record-A-complete-guide-to-setup-mistakes-and-DMARC-alignment.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M26S">2:26</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-30582" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-30582" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-30582" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-30582" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/what-is-a-dkim-record-a-complete-guide-to-setup-mistakes-and-dmarc-alignment/&t=What is a DKIM record? A complete guide to setup, mistakes, and DMARC alignment" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/what-is-a-dkim-record-a-complete-guide-to-setup-mistakes-and-dmarc-alignment/&url=What is a DKIM record? A complete guide to setup, mistakes, and DMARC alignment" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/08/What-is-a-DKIM-record-A-complete-guide-to-setup-mistakes-and-DMARC-alignment.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/what-is-a-dkim-record-a-complete-guide-to-setup-mistakes-and-dmarc-alignment/" class="input-link input-link-30582" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-30582" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="ljXwNcgsz2"><a href="https://dmarcreport.com/blog/podcast/what-is-a-dkim-record-a-complete-guide-to-setup-mistakes-and-dmarc-alignment/">What is a DKIM record? A complete guide to setup, mistakes, and DMARC alignment</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/what-is-a-dkim-record-a-complete-guide-to-setup-mistakes-and-dmarc-alignment/embed/#?secret=ljXwNcgsz2" width="500" height="350" title=""What is a DKIM record? A complete guide to setup, mistakes, and DMARC alignment" - DMARC Report" data-secret="ljXwNcgsz2" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-30582” readonly/>

					<button class="copy-embed copy-embed-30582" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Without proper email authentication in place, threat actors can spoof your emails and communicate on your behalf, jeopardizing your reputation and the targeted recipient’s data and money. All this can be prevented if your domain has **SPF, DKIM, and DMARC in place. Each of these protocols operates differently, but when they work in tandem with each other, they help establish trust and legitimacy for emails. They enable you to prove to receiving mail servers that a specific email is indeed from you and not sent by a malicious actor.

This blog primarily focuses on DKIM (DomainKeys Identified Mail), an email authentication tool that adds a **cryptographic signature to your emails so that the receiving server knows if the email content has been tampered with in transit.

What is a DKIM record?

A DKIM record is a type of DNS record that essentially stores a DKIM public key, which is a **random string of characters that is used to verify that the message has not been altered in transit. Receiving email servers query the domain’s DNS to see the DKIM record corresponding to your domain and view the public key.

Here is an example of a DKIM record-

selector1.domainkey.example.com IN TXT “v=DKIM1; k=rsa; p=ABC123XYZPublicKeyHereExampleOnly”

Where,

• selector1 means your DKIM selector

• domainkey is the required DKIM subdomain.

• example.com has to be replaced with your domain name.

• v=DKIM1 specifies the DKIM version.

• k=rsa tells the key type.

• p=ABC123XYZPublicKeyHereExampleOnly is the placeholder public key used for verification.

How does DKIM work?

DKIM’s functionality can be broken down into two parts: the DKIM record and the DKIM header. A DKIM record is stored in your domain’s **DNS as a TXT record, and the DKIM header is attached to all outgoing emails.

Here is how the process flows-

• When you send an email, your mail server uses a private key to create a digital signature, which is attached to the DKIM header.

• Next, upon receiving your email, the recipient’s mail server looks up your DKIM record in DNS using the selector from the header.

• The receiving server uses the public key from your DNS to decrypt the signature and compare it against the email’s contents.

• Pass or fail:

• If they match, it confirms the email hasn’t been modified and that it’s genuinely from your domain.

• If they don’t match, the email fails **DKIM verification and may be flagged or rejected.

What Are Common DKIM implementation mistakes?

DKIM is a **sensitive protocol and, hence, requires technical expertise. If you are not careful enough, you may end up making these mistakes-

1. Using the wrong DKIM selector

If you use the wrong DKIM selector, the receiving mail server just won’t be able to find the right public key in your DNS to check the email’s signature . _That means the DKIM check will fail, and depending on how your DMARC is set up, your email could end up in spam, get quarantined, or even be rejected completely. _Over time, this can mess with your deliverability and hurt your domain’s reputation.

2. Publishing an incomplete or broken public key

If your DKIM public key in DNS is incomplete or has mistakes in it (like missing bits, extra spaces, or wrong formatting), the receiving server won’t be able to use it to check your email’s signature. So the DKIM check will fail, and your emails might start going to spam or even get rejected, depending on how the other side filters stuff. Over time, that can mess with your deliverability and hurt your domain’s reputation.

3. Not rotating DKIM keys regularly

If you don’t rotate your **DKIM keys regularly, you are risking your email security. The longer a key is in use, the higher the chances of it getting exposed through a breach, misconfiguration, or even old backups.

This is also seen as a sign of poor security hygiene, which can harm your email deliverability.

4. Forgetting to change the DNS after changing the email service provider

If you switch to a new email service provider and make no updates to your DNS DKIM record, messages sent from your domain will still get signed with the new provider’s key; however, the problem will be that the receiving server will try verifying them using your old public keys.

In this case, there will be a mismatch, which will eventually cause DKIM to fail. If this happens, your emails will either get marked as spam or rejected altogether, depending on your DMARC policy.

5. Misalignment with the ‘From’ domain under DMARC

If your DKIM signature is linked to a different domain than the one in the ‘From’ address, DMARC will see that as misalignment. Even if DKIM passes, DMARC will still count it as a fail because the signing domain and the visible sending domain don’t match. This can make your email land in spam, get quarantined, or even be rejected, which pretty much defeats the whole purpose of having DKIM.

How does DKIM interact with SPF and DMARC?

When DKIM is paired with SPF and DMARC, it strengthens your email security. SPF checks if the server from which an email is sent is actually authorized by the domain owner. DMARC sits on top of both SPF and DKIM. It tells receiving servers what to do if an email fails SPF or DKIM checks, and it requires that at least one of them passes and aligns with the domain in the “From” address. Alignment means the domain in the DKIM signature or **SPF return-path matches the visible sending domain .

This interaction is significant for email security because if an email is forwarded, causing SPF to break, DKIM can still pass and keep the email from going to spam or getting rejected. On the flip side, if DKIM fails due to a broken record or signature mismatch, SPF might still pass and save the email. DMARC ties them together, so even if one fails, the other can help maintain deliverability while still **protecting your domain from spoofing and phishing.

So, if you also want the combination of all three protocols, then reach out to us. We can help deploy, manage, configure, and reconfigure these protocols to optimize email deliverability and keep phishers at bay.