DomainKeys Identified Mail (DKIM)
Why You Should Care About DKIM
DKIM provides two critical assurances: that the email was authorized by the domain owner (authentication) and that the message body and key headers were not altered during delivery (integrity). Unlike SPF, which only checks the sending server's IP, DKIM verifies the message itself.
DKIM signatures survive email forwarding, which is a significant advantage over SPF. When an email is forwarded, the SPF check often fails because the forwarding server's IP is not in the original domain's SPF record. The DKIM signature, however, remains valid because the message content has not changed.
Setting up DKIM requires generating a key pair, publishing the public key in DNS as a TXT record, and configuring your email server to sign outgoing messages. Most email providers (Google Workspace, Microsoft 365, SendGrid) handle key management and signing automatically once you add the DNS records they provide.
Settings Overview
| DKIM Component | Description |
|---|---|
| Private key | Held by sending mail server, signs message headers |
| Public key | Published as DNS TXT record at selector._domainkey.domain |
| Selector | Identifier for the key pair (e.g., google, s1, default) |
| d= tag | Signing domain |
| s= tag | Selector name |
| b= tag | Cryptographic signature |
How to Verify
A DNS health checker verifies that your DKIM records are published correctly in DNS. Send a test email and check the Authentication-Results header to confirm DKIM signatures are passing. Each email service you use needs its own DKIM configuration.