DKIM (DomainKeys Identified Mail) is an email authentication standard that uses public-key cryptography to sign outgoing email messages. The signature allows recipient mail servers to verify that the email genuinely came from your domain and that its content was not altered during transit.
How DKIM Works
- Your mail server signs each outgoing email with a private key, creating a digital signature embedded in the email header (DKIM-Signature:).
- You publish the corresponding public key in a DNS TXT record at a special subdomain (e.g.,
selector._domainkey.yourdomain.com). - The recipient's mail server retrieves your public key via DNS and uses it to verify the signature.
- If the signature matches, DKIM passes. If the email was modified in transit, the signature will not match and DKIM fails.
DKIM vs SPF
| Feature | SPF | DKIM |
|---|---|---|
| What it verifies | Sending server IP is authorized | Message was signed by domain owner |
| Survives forwarding | No (IP changes on forward) | Yes (signature travels with message) |
| Detects tampering | No | Yes (any modification breaks signature) |
| DNS record type | TXT at root | TXT at selector._domainkey subdomain |
How to Set Up DKIM
Most email service providers (Google Workspace, Microsoft 365, SendGrid, Mailchimp) generate a DKIM key pair for you. They provide the public key as a TXT record to add to your DNS. After adding it, enable DKIM signing in the email provider's settings.
People Also Ask
- What is the difference between SPF and DKIM?
- SPF verifies that the sending IP is allowed to send for your domain. DKIM verifies that the message content was signed by the domain owner and has not been altered.
- Is DKIM still used?
- Yes. DKIM is required by Google and Yahoo for bulk senders as of 2024, and it is considered essential for email deliverability.
Related: SPF | DMARC | DNS Lookup