What is DKIM? Email Authentication Explained
Learn what DKIM (DomainKeys Identified Mail) is, how it works to authenticate emails, and why it's essential for email deliverability and security.
Last updated: 2026-02-04
DKIM (DomainKeys Identified Mail) is an email authentication method that lets receiving mail servers verify that an email was actually sent by the domain it claims to be from and hasn't been tampered with in transit.
When you send an email, DKIM adds a digital signature to the message header. The receiving server can then check this signature against a public key published in your domain's DNS records to verify the email is legitimate.
Why DKIM Matters
Without email authentication, anyone can forge the "From" address on an email and pretend to be your domain. This is called email spoofing, and it's used for:
- Phishing attacks targeting your customers
- Business email compromise scams
- Spam campaigns that damage your domain reputation
DKIM helps prevent this by providing cryptographic proof that an email genuinely came from your domain.
DKIM is one of three major email authentication protocols. The others are SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance). For best protection, you should implement all three.
How DKIM Works
DKIM uses public-key cryptography to sign emails. Here's the process:
Generate a key pair
You create a public/private key pair. The private key stays on your mail server. The public key goes in your DNS records.
Sign outgoing emails
When your mail server sends an email, it uses the private key to create a digital signature of the message content and adds it to the email header.
Publish the public key
You add a TXT record to your domain's DNS containing the public key. The record is placed at selector._domainkey.yourdomain.com.
Receiving server verifies
The receiving mail server extracts the signature from the email header, fetches your public key from DNS, and verifies the signature matches. If it does, the email passes DKIM.
What's in a DKIM Record?
A DKIM DNS record is a TXT record with several components:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA...
| Tag | Meaning | Example |
|---|---|---|
| `v` | Version | `DKIM1` |
| `k` | Key type | `rsa` (most common) |
| `p` | Public key | Base64-encoded key |
| `t` | Flags (optional) | `y` for testing mode |
Generate your DKIM keys
Create DKIM key pairs and DNS records instantly with our free generator.
DKIM Selectors
The "selector" is a name that identifies which DKIM key to use. It's part of the DNS record location: selector._domainkey.yourdomain.com.
Selectors let you:
- Use multiple keys for different mail servers or services
- Rotate keys without breaking email delivery
- Support third-party senders like email marketing platforms
Common selectors include google, selector1, k1, or custom names like mailchimp or sendgrid.
DKIM Key Sizes
DKIM keys come in different sizes:
| Size | Security | DNS Compatibility |
|---|---|---|
| 1024-bit | Minimum acceptable | Works with all DNS providers |
| 2048-bit | Recommended | Some DNS providers have TXT record length limits |
Choose 2048-bit when possible
2048-bit keys provide better security. Only use 1024-bit if your DNS provider has strict TXT record size limits.
DKIM vs SPF vs DMARC
These three protocols work together:
| Protocol | What it does |
|---|---|
| **SPF** | Lists which IP addresses can send email for your domain |
| **DKIM** | Cryptographically signs emails to prove they weren't altered |
| **DMARC** | Tells receivers what to do when SPF or DKIM fail, and sends you reports |
DKIM and SPF address different attack vectors. SPF validates the sending server; DKIM validates the message content. DMARC ties them together with a policy.
Common DKIM Issues
Signature verification fails
- Key mismatch between what's signed and what's in DNS
- Email was modified in transit (by a mailing list or forwarder)
- DNS propagation hasn't completed yet
No DKIM signature found
- Mail server not configured to sign emails
- Wrong selector configured
Key too short
- Using a 512-bit key (considered insecure)
- Should use at least 1024-bit, preferably 2048-bit
Related Articles
DKIM Creator helps you generate secure DKIM keys for any domain, with proper formatting for your DNS provider.
Generate DKIM keys in seconds
Create 1024 or 2048-bit RSA key pairs with properly formatted DNS records. Free, instant, and secure.
Create DKIM Keys