What Is DKIM? How DomainKeys Identified Mail Works
DKIM (DomainKeys Identified Mail) is an authentication method that adds a digital signature to your emails, proving they were authorized and unaltered. It’s one of the three pillars of modern email security, alongside SPF and DMARC.
1️⃣ Why DKIM Exists
Before DKIM, anyone could forge the “From” address in an email. Spammers and phishers exploited this to impersonate banks, brands, and users. DKIM fixes this by attaching a cryptographic signature to each message — a seal of authenticity only the domain owner can generate.
2️⃣ How DKIM Works (In Simple Terms)
DKIM uses public-key cryptography. Here’s the process in plain English:
- Your mail server signs outgoing messages with a private key.
- The corresponding public key is published as a TXT record in your domain’s DNS.
- Receiving servers (like Gmail or Outlook) verify that signature using the DNS record.
- If the message was altered or unsigned, the check fails — marking it as untrusted.
default._domainkey.mailtested.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9..."
In this example, “default” is the DKIM selector.
Your mail server uses that selector to find the correct public key during verification.
3️⃣ DKIM Alignment and DMARC
Passing DKIM alone isn’t enough — it must also align with the domain in your “From” address. DMARC checks this alignment and enforces a policy if DKIM or SPF fail. That’s why DKIM setup directly impacts your overall deliverability and domain reputation.
4️⃣ Common DKIM Setup Mistakes
- Broken key format: Long DKIM keys often wrap across multiple lines — always paste them as a single line in DNS.
- Wrong selector: If your mail server signs with “mail1,” but your DNS record is “default,” verification fails.
- Missing DNS propagation: Wait a few hours after adding your record before testing it.
- Multiple DKIM systems: Only one signature per domain should be active at a time unless managed carefully.
5️⃣ How DKIM Improves Deliverability
A valid DKIM signature tells receiving servers that your message is genuine and hasn’t been tampered with. Providers like Gmail, Apple Mail, and Microsoft 365 use this as a core trust signal. Failing DKIM often means your messages end up in spam or are rejected entirely.
6️⃣ DKIM Example in Email Headers
When you view full headers, you’ll find a DKIM-Signature line that looks like this:
DKIM-Signature: v=1; a=rsa-sha256; d=mailtested.com; s=default;
h=from:subject:date;
bh=Qk8h2Fw...;
b=MEUCIQDLv6dN91c...signature...==
The “d=” value identifies the domain, and “s=” specifies the selector.
If these values don’t match your DNS record, DKIM validation fails.
✅ Final Thoughts
DKIM is not optional anymore — it’s a baseline requirement for inbox delivery. Every business or sender should configure it properly and monitor results regularly. MailTested helps you test and troubleshoot DKIM in seconds — no scripts, no guesswork.