DKIM - Cryptographic Email Signing

Guarantee the integrity and authenticity of your emails with DKIM.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each email sent from your domain. This signature allows the receiving server to verify that the email hasn't been modified in transit and that it actually comes from a server authorized by your domain.

Unlike SPF which only verifies the sender's IP, DKIM guarantees the integrity of the email content. An attacker could intercept an email and modify it, but the DKIM signature would become invalid, alerting the recipient to the manipulation.

DKIM relies on asymmetric cryptography: your email server signs with a private key, and the corresponding public key is published in your DNS for anyone to verify the signature.

How DKIM Works

DKIM uses cryptography to authenticate emails:

  • Key pair: A private key (secret, on your email server) and a public key (published in DNS) form the cryptographic pair.
  • Signing: Your email server calculates a hash of the email content and signs it with the private key. The signature is added in a DKIM-Signature header.
  • Verification: The receiving server retrieves the public key from DNS (via the indicated selector), recalculates the hash and verifies the signature.
  • Selector: The selector allows having multiple DKIM keys (for rotation or different services). The DNS record is: selector._domainkey.example.com.

Why DKIM is Important

DKIM provides guarantees that SPF cannot offer:

  • Integrity: DKIM guarantees the email hasn't been modified after signing. Headers and body are protected against manipulation.
  • Non-repudiation: A valid DKIM signature proves the email comes from a server authorized by the domain. Useful for legal evidence.
  • Deliverability: Gmail, Yahoo, and others give better reputation to DKIM-signed emails. Less risk of ending up in spam.
  • Required for DMARC: DMARC (the final policy) requires SPF OR DKIM to pass. Having both maximizes success chances.

How to Configure DKIM

DKIM configuration involves email server and DNS:

  1. Generate keys: Generate an RSA key pair (2048 bits minimum). Most email services (Gmail, O365) do this automatically.
  2. Configure the server: Install the private key on your email server and configure it to sign outgoing emails with a defined selector.
  3. Publish the public key: Create a TXT DNS record at selector._domainkey.example.com with the public key.
  4. Test: Send a test email and check the headers. The recipient should see DKIM=pass. Use tools like mail-tester.com.

DKIM Configuration Examples

Here are DKIM record examples:

; DKIM record in DNS
; Format: selector._domainkey.domain.com
google._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4..."

; Google Workspace DKIM (partial example)
google._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

; Verification with dig
$ dig google._domainkey.example.com TXT +short
"v=DKIM1; k=rsa; p=MIGfMA0GCS..."

; DKIM header in an email
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=example.com; s=google;
 h=from:to:subject:date:message-id;
 bh=2jUSOH9NhtVGCQWNr9BrIA==;
 b=dP3R6h4N5klJwPQ...

v=DKIM1 identifies the format. k=rsa indicates the algorithm. p= contains the base64-encoded public key. The selector (google, s1, etc.) identifies which key to use.

DKIM Best Practices

Optimize your DKIM deployment:

  • Use 2048 bits: 1024-bit keys are considered weak. Use 2048 bits or more for long-term security.
  • Key rotation: Plan annual DKIM key rotation. Use a new selector for smooth transition.
  • Monitor DNS: Use MoniTao to monitor your DKIM records. A deleted or modified key = signature failures.
  • Sign all services: Make sure all services that send emails for you (marketing, transactional) also sign with DKIM.

DKIM Checklist

  • 2048-bit RSA key generated
  • Private key installed on email server
  • Public key published in DNS
  • DKIM signing enabled for outgoing emails
  • Send tests performed with header verification
  • DNS monitoring of DKIM records

Frequently Asked Questions - DKIM

Does DKIM replace SPF?

No, they are complementary. SPF verifies the sending IP, DKIM verifies content integrity. DMARC combines them for a unified policy. Use all three.

Why does my DKIM signature fail?

Common causes: incorrect or missing DNS public key, email modified in transit (by a relay or antispam), misconfigured selector, or private key not installed.

What is the DKIM selector?

The selector identifies which key to use. It allows having multiple keys (for different services or rotation). The DNS record is selector._domainkey.domain.com.

Do I need to configure DKIM for each subdomain?

If you send emails from different subdomains, each needs its own DKIM configuration (even if the key can be shared).

Does DKIM protect email content?

DKIM guarantees integrity (non-modification) but not confidentiality. Content remains readable. For confidentiality, use encryption (S/MIME, PGP).

How often should I change my DKIM keys?

Annual rotation is recommended, or immediately if you suspect a compromise. Use a new selector and keep the old one active during transition.

Sign Your Emails with DKIM

DKIM provides a cryptographic guarantee that your emails are authentic and unmodified. Combined with SPF, it forms the foundation of modern email authentication and significantly improves your deliverability.

Deploy DKIM on all your email flows, monitor your DNS records with MoniTao, and complete with DMARC for a clear enforcement policy. Email authentication is an essential investment.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing