What Is DKIM?

Acutis · plain-English network help · updated June 2026

What is DKIM, in plain English?

DKIM stands for DomainKeys Identified Mail. The simplest way to think about it: DKIM is a tamper-proof wax seal on every email you send. When your mail server sends a message, it adds an invisible cryptographic signature. The receiving server can check that signature against a key you publish in DNS and confirm two things at once — the message really came from your domain, and nobody altered it in transit. If either check fails, the seal is broken and the mail is treated with suspicion.

Where SPF asks "did this come from an authorized server?", DKIM asks a stronger question: "can you mathematically prove this message is genuine and unchanged?" That proof is what makes DKIM so valuable for staying out of the spam folder.

How cryptographic signing works

DKIM relies on a matched pair of keys — a private one you keep secret and a public one you publish for anyone to read. The process runs in two halves:

1. Signing, on the way out. Your sending server takes key parts of the message (the headers and body), runs them through a maths formula, and signs the result with its private key. That signature is stamped into a hidden header called DKIM-Signature.
2. Verifying, on the way in. The receiving server reads the signature, fetches your public key from DNS, and checks whether the two match. If they do, the message is proven authentic and untouched. If a single character was changed in transit, the maths won't line up and verification fails.

The clever part is that the public key can verify a signature but can never create one. So publishing it for the world to see is perfectly safe — only the holder of the private key (your mail server) can sign as you.

Selectors and the _domainkey record

You might send mail through more than one service — your main provider, a newsletter tool, a help desk — and each needs its own key. DKIM handles this with selectors. A selector is just a short label that names a specific key, so a single domain can hold several keys at once without them colliding.

The public key lives in a TXT record at a predictable address: the selector, then ._domainkey., then your domain. For example, if your selector is google and your domain is example.com, the receiving server looks up:

google._domainkey.example.com

That record contains the public key itself, written as a long string beginning something like v=DKIM1; k=rsa; p=MIGfMA0.... When a message arrives, its DKIM signature names which selector to use, the receiver builds that exact DNS address, fetches the key, and verifies. Your email provider usually generates the key and gives you the exact records to publish.

What a DKIM failure means

When a receiving server reports that DKIM failed, it is saying "I could not prove this message is genuine." There are a handful of usual causes, and most are fixable:

• The message was modified in transit. Some mailing lists and forwarders rewrite subject lines or add footers, which breaks the original signature. This is one of the most common, and most innocent, reasons for a failure.
• The key is missing or wrong in DNS. If the _domainkey record was never published, was mistyped, or the selector doesn't match, the receiver can't find a key to check against.
• The signature itself is malformed. A misconfigured sending service can produce an invalid signature that no key will verify.
• It really is a forgery. Sometimes the failure is correct: someone is sending mail as your domain without your private key, and DKIM has caught them.

A single DKIM failure does not always send a message to spam on its own — but combined with a missing SPF or a weak reputation, it tips the balance, and consistent failures will steadily erode your sender standing.

DKIM works best with SPF and DMARC

DKIM proves a message is authentic and unaltered, but on its own it does not tell receivers what to do when the check fails. That decision belongs to DMARC, which reads the results of both SPF and DKIM and enforces a policy. Together the three records form the modern standard for trusted email: SPF lists your senders, DKIM seals each message, and DMARC ties them together and reports back. Get all three right and your mail earns its place in the inbox.