DKIM Explained
Understand DomainKeys Identified Mail, how to set up DKIM signing, and verify your configuration.
What Is DKIM?
DomainKeys Identified Mail (DKIM), defined in RFC 6376, is an email authentication method that allows the sender to attach a cryptographic signature to outgoing messages. This signature proves two things: that the email was authorised by the owner of the signing domain, and that the message content has not been modified after it was signed.
Unlike SPF, which validates the sending server's IP address, DKIM validates the message itself. This makes DKIM resilient to email forwarding — a forwarded message retains its original DKIM signature and can still be verified by the final recipient's mail server.
How DKIM Signing Works
DKIM uses public-key cryptography. The process involves two parties: the sending mail server (which holds the private key) and the receiving mail server (which retrieves the public key from DNS).
Signing (Outbound)
- The sending server generates a hash of selected message headers and the body.
- The hash is encrypted using the domain's private key to produce a digital signature.
- The signature is added to the email as a
DKIM-Signatureheader.
Verification (Inbound)
- The receiving server reads the
DKIM-Signatureheader and extracts the signing domain (d=) and selector (s=). - It constructs a DNS query for
selector._domainkey.signingdomain.comto retrieve the public key. - It uses the public key to decrypt the signature and compares the result to a freshly computed hash of the message.
- If they match, DKIM passes. If they differ, the message was altered or the signature is invalid.
The DKIM Signature Header
Every DKIM-signed email contains a header that looks like this:
DKIM-Signature: v=1; a=rsa-sha256; d=yourcompany.com;
s=selector1; c=relaxed/relaxed;
h=from:to:subject:date:message-id;
bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk...The key tags are:
v=1— DKIM version.a=rsa-sha256— The signing algorithm. RSA-SHA256 is the most common. Ed25519 (a=ed25519-sha256) is a newer, faster alternative.d=yourcompany.com— The signing domain. For DMARC alignment, this must match (or be a subdomain of) the From header domain.s=selector1— The selector, used to locate the correct public key in DNS.c=relaxed/relaxed— The canonicalization method for headers and body. "Relaxed" tolerates minor whitespace changes; "simple" requires an exact match.h=— The list of headers included in the signature. TheFromheader is always required.bh=— The hash of the message body.b=— The signature itself (base64-encoded).
DKIM DNS Records and Selectors
The public key is published as a TXT record at a specific location in DNS. The location is determined by the selector:
selector1._domainkey.yourcompany.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."The record contains:
v=DKIM1— Identifies this as a DKIM key record.k=rsa— The key type (RSA is standard; Ed25519 is also supported).p=— The public key, base64-encoded. If this field is empty, the key has been revoked.
Why Selectors Exist
Selectors allow a single domain to have multiple active DKIM keys simultaneously. This is essential for several reasons:
- Multiple mail sources. Your primary mail server, your marketing platform, and your transactional email service can each have their own selector and key pair.
- Key rotation. You can publish a new key under a new selector, switch your signing infrastructure to use it, and then remove the old key — all without any gap in authentication.
Common selector naming conventions include selector1, s1, google, k1, or date-based names like 202601.
Key Rotation
DKIM private keys should be rotated periodically to limit the impact of a compromised key. A recommended rotation schedule is every 6 to 12 months. The process is:
- Generate a new key pair.
- Publish the new public key in DNS under a new selector.
- Wait for DNS propagation (allow 24-48 hours).
- Configure your mail server to sign with the new private key and selector.
- Keep the old public key in DNS for a transition period (at least 7 days) so that messages signed before the switch can still be verified.
- Remove the old public key from DNS.
Use a key size of at least 2048 bits for RSA keys. The older 1024-bit keys are considered weak and should be upgraded. Note that 2048-bit keys may need to be split across multiple DNS strings if your provider has a 255-character TXT record limit.
Common DKIM Issues
- Missing DNS record. If the public key is not published or is published at the wrong selector path, DKIM verification will fail with a "no key found" error.
- Body modification by intermediaries. Mailing list software, forwarding services, or security gateways that alter the message body after signing will break the DKIM signature. Using
c=relaxed/relaxedcanonicalization helps tolerate minor changes, but significant modifications will still cause failure. - Misaligned signing domain. For DMARC to pass via DKIM, the
d=domain in the signature must align with the From header domain. If your email service signs with their own domain (e.g.,d=sendgrid.net) instead of yours, DKIM will pass but DMARC alignment will fail. Most providers support custom DKIM signing — configure it to sign as your domain. - Expired or revoked keys. If a public key record has an empty
p=tag, the key has been revoked and all signatures using that selector will fail. - DNS record formatting errors. Extra spaces, missing quotes around concatenated strings, or incorrect escaping can cause the public key to be unparseable.
Verifying Your DKIM Setup
To confirm DKIM is working, send a test email from your domain and inspect the headers at the receiving end. Look for the DKIM-Signature header and the authentication results:
Authentication-Results: mx.google.com;
dkim=pass header.d=yourcompany.com header.s=selector1;You can also query your DKIM public key directly:
dig TXT selector1._domainkey.yourcompany.com +shortDMARCWatch will show you DKIM pass and fail rates for every source sending as your domain, making it straightforward to spot signing issues across all your mail streams.