autoemail

Glossary

What Is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that attaches a cryptographic signature to each message. The signature lets a receiving server verify, using a public key in your domain's DNS, that the message genuinely came from your domain and was not tampered with in transit.

DKIM solves a problem SPF cannot: proving a message was not altered and tying it to your domain by cryptography rather than by IP address. Where SPF checks where a message came from, DKIM checks that the content and sender are genuine - and because the proof travels inside the message, it survives forwarding.

It works with a public-private key pair. Your mail server holds a private key and uses it to sign selected headers (typically From, Subject, Date) and the body of each outgoing message, adding the result as a DKIM-Signature header. The matching public key is published as a DNS TXT record at a selector you choose, in the form selector._domainkey.yourdomain.com. When the message arrives, the receiving server reads the selector and domain from the signature header, fetches the public key from DNS, and recomputes the hash. If it matches, the signature is valid, which proves the signing domain is authentic and nothing covered by the signature changed in transit.

DKIM matters for the same reasons SPF does, plus two of its own. It is forwarding-resistant, so mail relayed through mailing lists or forwarders still authenticates. And it is the stronger of the two checks DMARC can rely on for alignment, so a well-configured DKIM setup is usually the most robust path to a passing DMARC result. Mailbox providers weigh a valid DKIM signature as a strong positive trust signal.

Common mistakes: using a key that is too short (use a 2048-bit key where your provider supports it, not 1024-bit), publishing the public key with copy-paste errors or line-wrap artifacts so it will not parse, and forgetting to enable DKIM on every sending service - your ESP, support desk, and outreach tool each need their own selector and key. Also rotate keys periodically and remove retired selectors. As with SPF, DKIM alone is not the finish line; pair it with SPF and a DMARC policy for full coverage.

Key points

  • DKIM signs each email with a private key; receivers verify it with a public key in DNS.
  • It proves the message was not altered and genuinely came from your domain.
  • Unlike SPF, the signature survives forwarding and mailing lists.
  • The public key lives at a selector record: selector._domainkey.yourdomain.com.
  • It is usually the most reliable check for passing DMARC alignment.

Frequently asked questions

SPF authorizes which servers may send for your domain by IP, but it breaks when mail is forwarded. DKIM instead attaches a cryptographic signature that proves the message was not altered and came from your domain, and that proof survives forwarding. They are complementary, and DMARC uses both.

Keep reading

What is SPF?The IP-based check DKIM complements.What is DMARC?The policy layer that uses DKIM for alignment.Free SPF / DKIM / DMARC checkerVerify your DKIM signature and key - no signup.Why your emails go to spamWhere DKIM fits in the deliverability picture.AutoEmail pricingAI email with deliverability scoring built in.
autoemail

Put AI on every reply. Keep yourself in the loop.

Connect one inbox, watch AutoEmail draft every reply, and approve before anything sends. Free to start, no card required.

Start freeSee pricing

30-day money-back guarantee

Try any paid plan risk-free. If AutoEmail is not saving you time inside 30 days, email us and we refund you in full - no forms, no friction.