Skip to main content
New AI-powered DMARC analysis + open REST API See how →
Email Authentication

What is
DKIM?

DKIM (DomainKeys Identified Mail) is a cryptographic email authentication protocol that adds a digital signature to outgoing messages, allowing receivers to verify the email genuinely originates from the claimed domain and has not been altered in transit.

Check Your DKIM Record
How It Works

Three-step cryptographic verification

DKIM uses public-key cryptography to prove that an email message was sent by the domain it claims and was not modified after sending.

01

Sender Signs

When your mail server sends an email, it creates a hash of selected headers and the message body, encrypts the hash with a private key, and attaches the result as the DKIM-Signature header.

02

Message Travels

The signed email traverses the internet. Because the DKIM signature is part of the message header, it travels with the email through any number of intermediate servers and forwarders.

03

Receiver Verifies

The receiving server reads the DKIM-Signature header, fetches the public key from DNS at selector._domainkey.yourdomain.com, decrypts the hash, recomputes it, and compares. Match means DKIM pass.

Record Anatomy

What a DKIM record
looks like in DNS

A DKIM record is a DNS TXT record published at selector._domainkey.yourdomain.com. It contains the public key that receivers use to verify the DKIM signature attached to your outgoing messages.

  • The selector is chosen by your email provider (e.g., google, selector1)
  • The public key is Base64-encoded and can be 1024 or 2048 bits
  • NIST recommends 2048-bit RSA keys at minimum for security
  • Ed25519 keys are smaller and faster but not yet universally supported
DNS TXT Record
selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."
v=DKIM1
Version
Required. Identifies this as a DKIM key record.
k=rsa
Key type
RSA is standard. Ed25519 is emerging but not yet universal.
p=MIGf...
Public key
Base64-encoded public key used to verify signatures.
DKIM Selectors

How selectors identify which key to use

A DKIM selector is a string in the DKIM-Signature header (the s= tag) that tells the receiver which DNS record contains the public key. Each email service uses its own selector, allowing a domain to have multiple active DKIM keys simultaneously.

Provider
Selector(s)
DNS Location
Google Workspace
google google._domainkey.example.com
Microsoft 365
selector1, selector2 selector1._domainkey.example.com
SendGrid
s1, s2 s1._domainkey.example.com
Mailchimp
k1 k1._domainkey.example.com
Amazon SES
custom (CNAME) xxxxxxx._domainkey.example.com
Postmark
20230601xxxxx CNAME to dkim.postmarkapp.com
Protocol Comparison

DKIM vs SPF vs DMARC

The three protocols work together to provide layered email authentication. Each protects against different attack vectors.

SPF
DKIM
DMARC
What it checks
Sending server IP
Message signature
SPF/DKIM alignment
Verified against
DNS TXT at domain
DNS TXT at selector
DNS TXT at _dmarc
Survives forwarding
No
Yes
Via DKIM
Protects content
No
Yes (signed headers + body)
Indirectly (via DKIM)
Enforcement action
Pass/Fail signal
Pass/Fail signal
None / Quarantine / Reject
Reporting
No
No
Yes (RUA + RUF)
RFC
7208
6376
7489
Troubleshooting

Common DKIM issues and how to fix them

DKIM failures usually come down to key management, DNS configuration, or message modification by intermediaries.

Signature Mismatch

The private key used to sign does not match the public key in DNS. Usually caused by incomplete key rotation or publishing the wrong key. Verify with a DKIM lookup tool.

Key Rotation Gaps

Old key removed from DNS before all messages signed with it have been delivered and verified. Always publish the new key first, wait at least 48 hours, then remove the old one.

Forwarding Breaks Signature

Mailing lists and forwarders that modify headers or body content invalidate the DKIM signature. ARC (Authenticated Received Chain) helps, but adoption is still growing.

DNS Record Too Long

Some DNS providers split long TXT records incorrectly. DKIM public keys, especially 2048-bit RSA, can exceed 255 characters and must be properly concatenated across multiple strings.

Missing DKIM Record

The DNS TXT record was never published, was accidentally deleted, or is at the wrong selector location. Check that the record exists at selector._domainkey.yourdomain.com.

Expired Signature

The x= tag in the DKIM-Signature header sets an expiration timestamp. If the message is verified after this timestamp, DKIM fails. Common with delayed delivery or queued messages.

FAQ

Frequently asked questions about DKIM

What is DKIM?

DKIM (DomainKeys Identified Mail) is a cryptographic email authentication protocol defined in RFC 6376 that adds a digital signature to outgoing email messages. The receiving mail server uses the signature to verify two things: the email genuinely originates from the domain it claims to come from, and the message content has not been altered in transit. Unlike SPF, which checks the sending server IP, DKIM signs the actual message content, making it the most reliable authentication method for forwarded email.

How does DKIM work?

DKIM works in three steps. First, the sending mail server creates a hash of selected headers and the message body, then encrypts that hash with a private key stored on the server. The encrypted hash becomes the DKIM-Signature header attached to the email. Second, the domain owner publishes the corresponding public key as a DNS TXT record at selector._domainkey.yourdomain.com. Third, when the email arrives, the receiving server fetches the public key from DNS, decrypts the hash, recomputes the hash from the received message, and compares. If they match, DKIM passes.

What is a DKIM selector?

A DKIM selector is a string that identifies which public key to use when verifying a DKIM signature. It appears in the DKIM-Signature header as the s= tag and in the DNS record location as selector._domainkey.yourdomain.com. Selectors allow a domain to have multiple active DKIM keys simultaneously, which is essential for key rotation and for domains that use multiple email services. Common selectors include google for Google Workspace, selector1 and selector2 for Microsoft 365, and s1 for SendGrid.

What is the difference between DKIM and SPF?

SPF (Sender Policy Framework) verifies that the sending server IP address is authorized in the domain DNS record. It checks the envelope sender (Return-Path), not the visible From header. DKIM verifies that the message content has not been altered in transit by attaching a cryptographic signature. The key difference: SPF breaks when email is forwarded because the forwarder IP is not in the original SPF record, but DKIM signatures survive forwarding because they are attached to the message itself. DMARC ties both together by requiring that either SPF or DKIM passes and aligns with the From header domain.

Why does DKIM fail?

DKIM fails for several reasons: the DKIM-Signature header or signed headers were modified in transit (common with mailing lists that add footers or modify the Subject line), the public key in DNS does not match the private key used to sign (often caused by incomplete key rotation), the DNS TXT record is missing or unreachable, the signature has expired (the x= tag in the signature specifies an expiration timestamp), or the message body was altered by an intermediary server. Content modification by mailing list software like Mailman and Google Groups is the most common cause of DKIM failure.

How do I find my DKIM selector?

You can find your DKIM selector by examining the DKIM-Signature header in any email sent from your domain. Open the email headers (in Gmail, click the three dots and select Show original) and look for the s= tag in the DKIM-Signature header. The value of s= is your selector. Alternatively, use the DMARC Report DKIM Lookup tool at dmarcreport.com/tools/dkim-lookup/ to discover all published selectors for your domain.

How often should I rotate DKIM keys?

Best practice is to rotate DKIM keys every 6 to 12 months for RSA keys and annually for Ed25519 keys. NIST recommends 2048-bit RSA keys at minimum. Key rotation involves generating a new key pair, publishing the new public key under a new selector, configuring your mail server to sign with the new key, and removing the old public key from DNS after a grace period. Selectors make this process seamless because the old and new keys can coexist during the transition.

Discover your DKIM selectors

Use our free DKIM Lookup tool to find all published DKIM keys for your domain and verify they are configured correctly.

Check DKIM Record

What Security Teams Say About DKIM Monitoring

G2 Leader — DMARC

Rated 4.8/5 on G2 · 469 verified reviews

G2 Momentum Leader — DMARC
VU

Verified User in Information Technology and Services

5/5

"Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022 Verified on G2
RC

Ryan C.

Director

4.5/5

"Control Centre for Email Security"

I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential.

8/29/2022 Verified on G2
eg

eddy g.

Director

4.5/5

"A great solution to a common email problem."

I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good — the best thing is it protects every email.

8/29/2022 Verified on G2
Read all 469 reviews on G2 →