What Is DKIM and How Does It Work?

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that a message was authorised by a domain and has not been altered in transit.

When an email is sent, the sending system signs parts of the message using a private key. The receiving system retrieves the corresponding public key from DNS to validate the signature.

DKIM is a core component of modern email authentication and is widely used alongside SPF and DMARC.

• DKIM Checker
• SPF explained
• DMARC explained

DKIM works by adding a digital signature to outgoing email headers.

• The sending server signs the message using a private key
• The email includes a DKIM-Signature header with metadata such as the domain and selector
• The receiving server extracts the selector and queries DNS for the public key
• The signature is validated against the message content

If validation succeeds, the message is considered authentic and unmodified for the signed portions.

DKIM public keys are published as TXT records under a selector-based hostname.

selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."

The selector is included in the email header and tells the receiving system which DNS record to query.

• Selector: identifies which DKIM key to retrieve
• _domainkey: fixed namespace used for DKIM records
• v=DKIM1: version identifier
• k=rsa: key type (commonly RSA)
• p=: the public key used to verify signatures

• What is a TXT record?

Selectors allow multiple DKIM keys to exist for the same domain.

This is useful for key rotation, supporting multiple sending platforms, and separating different mail streams.

For example, one selector may be used by Microsoft 365 while another is used by a third-party marketing platform.

DKIM plays a critical role in DMARC by providing domain alignment.

For DMARC to pass via DKIM, the domain in the DKIM signature must align with the domain in the message headers.

This makes DKIM not just a signing mechanism, but a key part of domain-based trust decisions.

DKIM helps ensure message integrity and authenticity, which are critical for preventing spoofing and tampering.

It also contributes to sender reputation and improves deliverability when properly configured.

• Using the wrong selector when checking DNS
• Publishing an incorrect or incomplete public key
• Signing with a selector that is not published in DNS
• Key rotation not reflected in DNS
• Assuming DKIM alone prevents spoofing without DMARC

• How to check DKIM selectors
• How to check a DKIM record
• How to fix DKIM failures
• What is BIMI?

If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.

• DKIM Checker
• DKIM Selector Finder
• Email Security Check
• How to Check a DKIM Record
• How to Fix DKIM Failures