DKIM — DomainKeys Identified Mail

What is DKIM

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to the emails you send. The receiving server retrieves your public key from DNS, verifies the signature, and confirms that (a) the email genuinely originates from the server that signed on behalf of your domain and (b) it was not altered in transit.

Unlike SPF, which checks IP addresses, DKIM verifies the actual content of the message.

How it works

1. You generate a key pair (public/private) on your mail server.
2. You publish the public key as a TXT record in DNS, at the address {selector}._domainkey.{domain}.
3. When you send an email, the server signs it with the private key and adds the signature in a DKIM-Signature header.
4. The receiver fetches the public key from DNS and verifies the signature.

Example DKIM record

selector1._domainkey.example.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUA..."

Fields:

• v=DKIM1 — protocol version
• k=rsa — algorithm (RSA; Ed25519 is rare)
• p=... — Base64-encoded public key
• selector1 — name of this particular key slot (you can have multiple selectors for rotation)

Selector rotation

Most providers (Google, Mailgun, SendGrid) use different selectors (google, mailgun, s1, s2...) and rotate them periodically for security. When switching providers, do not delete old selectors immediately — leave them in place until traffic through them has stopped.

Common mistakes

• Wrong key size: 1024-bit is now considered weak. Use 2048.
• TXT value longer than 255 characters: split it into multiple strings.
• Missing p= or empty value — means "this key has been revoked".
• DKIM only, without DMARC — receivers don't know what to do with failures.