DKIM
DKIM stands for DomainKeys Identified Mail. DKIM is an email-authentication standard that uses cryptographic signatures to verify that a message was actually sent by the claimed domain and hasn’t been altered in transit. The sending server signs outgoing emails with a private key; the receiving server verifies the signature using the public key published in the sender’s DNS. DKIM is one of the three core email-authentication standards alongside SPF and DMARC.
How DKIM works
Five-step process:
1. Domain owner generates a cryptographic key pair. Private key stored on the sending server; public key published in DNS.
2. Sending server signs outgoing emails. A cryptographic signature is attached as a DKIM-Signature header.
3. Email arrives at the recipient’s mail server.
4. Receiving server looks up the public key in DNS. The DKIM-Signature header tells it where to look.
5. Signature verified. If the signature is valid and the email hasn’t been tampered with, DKIM passes.
DKIM vs SPF
Three key differences:
DKIM verifies content integrity. SPF only verifies the sending server. DKIM verifies the email hasn’t been altered.
DKIM survives forwarding. Unlike SPF, DKIM signatures remain valid after legitimate forwarding (in most cases).
DKIM authenticates the signing domain. The DKIM-Signature header identifies which domain signed the email. This can be used for DMARC alignment.
Most modern email programmes use both SPF and DKIM. They’re complementary, not redundant.
DKIM setup process
Four typical steps:
1. Generate key pair. Usually done in the ESP or email platform’s interface. 2048-bit RSA keys are current best practice.
2. Publish public key in DNS. TXT record at a specific subdomain (selector._domainkey.yourdomain.com). The selector distinguishes multiple keys.
3. Configure sending server to sign. Usually automatic once the ESP knows which key to use.
4. Verify operation. Send a test email; check headers for valid DKIM signature; confirm authentication passes.
Common DKIM issues
Five troubleshooting patterns:
Wrong DNS record location. DKIM records go at selector._domainkey.domain.com, not at the root. Common misconfiguration.
Key mismatch. Private key on server doesn’t match public key in DNS. Usually a publishing error.
Body modification by intermediaries. Mailing lists or forwarding services sometimes modify body content, breaking signatures.
Multiple selectors. Sites with multiple email platforms need separate selectors for each. Misconfigured selectors cause DKIM to fail selectively.
Key rotation issues. DKIM keys should be rotated periodically. Mismanaged rotation can cause failures.
DKIM signature details
Three important components of a DKIM-Signature header:
d= (signing domain). The domain that signed the email. Used for DMARC alignment.
s= (selector). Which key to use. Allows multiple DKIM keys per domain.
h= (signed headers). Which headers were included in the signature. Headers not in this list can be modified without breaking the signature.
DKIM and DMARC alignment
Key concept for DMARC:
DMARC requires DKIM alignment. For DMARC to pass via DKIM, the DKIM signing domain (d=) must align with the From header’s domain.
Strict vs relaxed alignment. DMARC can require exact domain match (strict) or allow subdomain relationships (relaxed). Relaxed is more common.
Multiple DKIM signatures possible. Emails can carry multiple DKIM signatures; any aligned one can satisfy DMARC.
DKIM key length recommendations
Three current standards:
1024-bit keys. Minimum; still widely used but increasingly weak against modern cryptanalysis.
2048-bit keys. Current recommended standard. Secure against foreseeable attacks.
4096-bit keys. Excess security for most uses. Some DNS systems have size limits that make these difficult.
DNS TXT record size limits mean 4096-bit keys can be problematic. 2048-bit is the practical best.
DKIM in ESPs
Three typical ESP DKIM patterns:
ESP-managed DKIM. The ESP provides DKIM with their own domain. Valid DKIM passes but doesn’t align with your sending domain. Doesn’t satisfy strict DMARC.
Your-domain DKIM via ESP. The ESP signs with a key associated with your domain. Aligns with From header; satisfies DMARC. Modern ESPs make this the default.
Mixed. Both signatures present. ESP-managed for backup; your-domain for DMARC alignment.
DKIM verification tools
Four tools:
Mail clients with full headers. Gmail’s ‘Show Original’ reveals DKIM signature status.
Online DKIM validators. mxtoolbox.com/dkim.aspx and similar.
DMARC reports. Aggregate DMARC reports show DKIM pass rates in production.
ESP-specific tools. Most major ESPs provide DKIM-verification interfaces.
DKIM in the 2024+ sender rules
Gmail and Yahoo now require DKIM for bulk senders. Non-DKIM sending at volume produces delivery failures. DKIM is no longer optional for any serious email programme.
Related terms
- SPF - the companion authentication standard
- DMARC - the enforcement layer that uses DKIM
- Deliverability - the outcome DKIM protects
- Sender Reputation - the related deliverability foundation
- Email Marketing - the discipline DKIM serves