NetDigLearnEmail
Email5 min read

What Is DKIM?

DKIM (DomainKeys Identified Mail) cryptographically signs outgoing emails using a private key. Receiving servers verify the signature against a public key in your DNS, proving the email is authentic.

How DKIM Works

When you send an email, your mail server uses a private key to generate a hash of parts of the email (headers and body). This hash is added to the email as a DKIM-Signature header. The corresponding public key is published in your DNS as a TXT record.

When the receiving server gets the email, it looks up your public key in DNS, uses it to decrypt the signature, and verifies the hash matches the email content. If it matches, DKIM passes — the email came from your server and wasn't modified in transit.

Where Is the DKIM DNS Record?

DKIM public keys are published as TXT records at a specific selector subdomain:

selector._domainkey.yourdomain.com

The "selector" is a name chosen by your email provider. Google Workspace uses google, SendGrid uses a custom selector per domain, and so on. You can have multiple DKIM keys on different selectors — one per email service.

How to Enable DKIM

DKIM signing is enabled in your email provider's admin console, not directly in DNS. The process:

  1. Go to your email provider's DKIM settings (Google Workspace Admin: Apps → Google Workspace → Gmail → Authenticate email)
  2. Generate a DKIM key pair
  3. Copy the TXT record they give you and add it to your DNS
  4. Return to the admin console and click "Start Authentication" or "Enable DKIM"

Repeat for each email service you use (Google, SendGrid, Mailchimp, etc.).

Checking DKIM

After enabling DKIM, send yourself a test email and check the raw headers. Look for:

Authentication-Results: mx.google.com;
   dkim=pass header.i=@yourdomain.com

The dkim=pass confirms DKIM is working. You can also paste the headers into the Email Header Analyzer for a detailed breakdown.

DKIM and DMARC

DKIM alone doesn't protect the From: header. DMARC uses DKIM (and SPF) results and checks domain alignment — the signing domain in the DKIM signature must match the domain in the From: header for DMARC to pass via DKIM.

Check your DKIM: Use the DKIM checker — enter your domain and selector to verify the public key is published correctly.

Not directly. DKIM verifies the sender's identity and message integrity. It's one of several signals spam filters use. Combined with SPF and DMARC, it significantly improves deliverability.

A DKIM failure adds a negative signal to the spam score. With a strict DMARC policy, DKIM failures (combined with SPF failures) cause the email to be quarantined or rejected.

Yes. Each email service you use gets its own DKIM key on a different selector. You can have google._domainkey, sendgrid._domainkey, and mailchimp._domainkey all at once.