DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorized server and hasn't been modified in transit. It's a critical component of email security alongside SPF and DMARC.
How DKIM Works
DKIM uses public-key cryptography to sign emails:
- Key generation: You generate a public/private key pair
- DNS publication: The public key is published in your DNS as a TXT record
- Email signing: Your mail server uses the private key to sign outgoing emails
- Verification: Receiving servers look up your public key and verify the signature
While SPF verifies that an email came from an authorized IP address, DKIM verifies the email hasn't been tampered with and was signed by someone with access to your private key. They complement each other.
DKIM DNS Record
The DKIM public key is stored as a TXT record at a specific subdomain:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGf..."The record name consists of:
- selector — A name you choose (e.g., "google", "mail", "default")
- _domainkey — Fixed string indicating this is a DKIM record
- example.com — Your domain
DKIM Record Tags
| Tag | Required | Description |
|---|---|---|
v |
Yes | Version (always "DKIM1") |
k |
No | Key type (default: "rsa") |
p |
Yes | Base64-encoded public key |
t |
No | Flags (e.g., "y" for testing mode) |
Example DKIM Records
# Google Workspace
google._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
# Microsoft 365
selector1._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
selector2._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."The DKIM Signature
When an email is signed, a DKIM-Signature header is added:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=google;
h=from:to:subject:date:message-id;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR...Signature Components
| Tag | Description |
|---|---|
v |
Signature version (always "1") |
a |
Signing algorithm (e.g., rsa-sha256) |
d |
Signing domain |
s |
Selector (to look up the public key) |
h |
Headers included in the signature |
bh |
Body hash |
b |
The signature itself |
Setting Up DKIM
Google Workspace
- Go to Admin Console → Apps → Google Workspace → Gmail
- Click Authenticate email
- Select your domain and click Generate new record
- Add the TXT record to your DNS
- Return to Google Admin and click Start authentication
Microsoft 365
- Go to Microsoft 365 Defender → Policies → Email authentication
- Select DKIM
- Select your domain
- Add the two CNAME records provided
- Enable DKIM signing
Self-Hosted (OpenDKIM)
# Generate key pair
opendkim-genkey -s mail -d example.com
# This creates:
# mail.txt - DNS record (public key)
# mail.private - Private key for signingFor security, rotate DKIM keys periodically (e.g., annually). Use a new selector when rotating so old emails can still be verified while transitioning.
Verifying DKIM
Check DKIM Record in DNS
# Replace 'selector' with your actual selector
dig selector._domainkey.example.com TXT
# Common selectors to try:
dig google._domainkey.example.com TXT
dig default._domainkey.example.com TXT
dig mail._domainkey.example.com TXT
dig selector1._domainkey.example.com TXTCheck Email Headers
View the original headers of a received email and look for:
Authentication-Results: mx.google.com;
dkim=pass header.i=@example.com header.s=googlePossible results:
- pass — Signature verified successfully
- fail — Signature verification failed
- neutral — No signature or inconclusive
- temperror — Temporary error (try again)
- permerror — Permanent error (configuration issue)
For DMARC to pass with DKIM, the domain in the DKIM signature (d=) must align with the From domain. Misalignment is a common cause of DMARC failures.
Check Your Email Authentication
Verify your DKIM, SPF, and DMARC configuration with our DNS lookup tool.
Check DNS Records