What Is DKIM? How Email Signing Works

So, what is DKIM? It stands for DomainKeys Identified Mail, and it is one of the three core email authentication protocols that protect your domain from abuse. Think of it as a tamper-proof seal on every email you send.

When you mail a physical letter, anyone who handles it along the way could open it, change the contents, and reseal the envelope. Email works the same way — messages pass through multiple servers before they arrive. Without a DKIM signature, there is no way to prove the message was not altered in transit.

DKIM solves that problem. It attaches a hidden digital signature to each outgoing email so the receiving server can verify two things: the message really came from your domain, and nothing was changed after it left your mail server.

How a DKIM Signature Works

Every DKIM setup uses a pair of cryptographic keys — one private and one public. Your mail server holds the private key, and your public key is published as a DKIM record in your domain's DNS (the system that translates domain names into addresses).

When you send an email, your mail server uses the private key to generate a unique DKIM signature based on the message content. That signature is added to the email header — a behind-the-scenes section the recipient never sees.

What Happens on the Receiving End

The recipient's mail server looks up your public DKIM record in DNS. It then uses that key to check the signature against the email content.

If the signature matches, the email passes the DKIM check. If anything was changed — even a single character — the check fails, and the receiving server treats the message as suspicious.

What Is a DKIM Record?

A DKIM record is a DNS TXT entry that publishes your public key so receiving servers can find it. It lives at a specific address inside your domain's DNS zone, formatted like this: selector._domainkey.yourdomain.com.

The record contains the public key itself along with a few parameters that tell the receiving server which encryption method to use. You do not need to understand the technical details — your email provider usually generates this record for you.

DKIM Selectors Explained

You might have noticed the word "selector" in that DNS address. A selector is simply a label that identifies which key to use. It lets you have multiple DKIM records on the same domain — one for each email service you use.

For example, if you send marketing emails through Mailchimp and internal emails through Google Workspace, each service gets its own selector and its own key pair. Google might use a selector called "google", while Mailchimp might use "k1".

This means you can add or remove email services without disrupting the others. Each service manages its own DKIM signature independently.

What Happens Without DKIM

Without a DKIM signature, your emails have no proof of integrity. Any server that handles your message along the way could modify the content — injecting links, changing text, or adding attachments — and the recipient would have no way to detect it.

Receiving mail servers are increasingly suspicious of unsigned emails. Messages without DKIM are more likely to land in spam folders or be rejected outright, especially by providers like Google and Microsoft.

Emails can be silently altered in transit without detection
Spam filters score unsigned messages lower, reducing deliverability
Your domain looks less trustworthy to receiving servers
Phishing attacks that spoof your domain become harder to detect

DKIM, SPF, and DMARC: How They Work Together

DKIM is one of three email authentication protocols. Each one does a different job, and they are designed to work as a set.

SPF (Sender Policy Framework) checks whether the sending server is authorized to send on behalf of your domain. You can learn more in our guide to SPF.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together. It tells receiving servers what to do when a message fails authentication — accept it, quarantine it, or reject it. Our DMARC explainer covers this in detail.

On its own, DKIM proves the message was not tampered with. Combined with SPF and DMARC, it gives receiving servers a complete picture: the sender is authorized, the message is intact, and there is a clear policy for handling failures.

DKIM Setup: What Business Owners Need to Know

Setting up DKIM involves generating a key pair, publishing the public key as a DKIM record in your DNS, and configuring your email service to sign outgoing messages with the private key.

Most email providers — Google Workspace, Microsoft 365, Mailchimp, and others — handle the key generation and signing for you. Your job is to add the DNS record they give you to your domain's DNS settings.

The tricky part is that every email service you use needs its own DKIM record. If you send emails from your CRM, your helpdesk, your marketing platform, and your main inbox, each one needs to be configured separately. Miss one, and those emails go out unsigned.

Check every service that sends email on behalf of your domain
Add the DKIM record each provider gives you to your DNS
Test your setup using the scanner above to confirm records are live
Review your configuration whenever you add or change email services

Check your domain now

Enter your domain to see your current email security status.

Frequently Asked Questions

What is DKIM in simple terms?

DKIM is a way of signing your outgoing emails with a digital seal. The receiving mail server checks that seal to confirm the message really came from your domain and was not changed in transit. It works using a pair of cryptographic keys — one private, one public.

Do I need DKIM if I already have SPF?

Yes. SPF and DKIM do different jobs. SPF verifies the sending server is allowed to send for your domain. DKIM verifies the message content was not altered after sending. You need both protocols working together, along with a DMARC policy, for proper email authentication, the strongest spoofing protection, and the best inbox deliverability.

How do I know if my DKIM record is set up correctly?

Enter your domain in the scanner above. It will check your DNS for published DKIM records across common selectors and tell you whether your signatures are valid. If no records are found, your emails are going out unsigned and may land in spam folders.

Can I have multiple DKIM records on one domain?

Yes, and most businesses should have multiple DKIM records. Each email service you use — your inbox provider, marketing tool, CRM, helpdesk — gets its own DKIM selector and key pair. Multiple records let each service sign outgoing emails independently without interfering with the others or causing authentication failures.

What happens if a DKIM check fails?

A failed DKIM check means the email was either altered in transit or the DKIM signature does not match the published public key. The receiving server may flag the message as suspicious, send it to spam, or reject it entirely. The exact outcome depends on the domain's DMARC policy and the receiving server's own filtering rules.

Understanding what is DKIM is the first step to protecting your domain from email tampering and impersonation. A properly configured DKIM signature tells the world that your emails are genuine and untouched.

But DKIM is just one piece of the puzzle. Combined with SPF and DMARC, it forms a complete email authentication framework that keeps your business emails out of spam folders and your domain off blocklists. You can further strengthen your email security with MTA-STS for encryption in transit and BIMI to display your brand logo in inboxes.

Not sure if your DKIM records are set up correctly? Scan your domain for free with readyDMARC to get an instant report. And if you would rather have experts handle the entire setup and monitoring for you, explore our managed services or book a call with our team.

Need help setting this up?

We handle email security end to end — no technical knowledge required on your part.

Book a Call