Email Authentication

DKIM: Everything You Need to Know About Digital Signatures

Hero Image
Hidden Anchor

What is a DKIM record?

DomainKeys Identified Mail (DKIM) is a core email authentication standard necessary to keep your email safe. It was designed to fill some of the gaps Sender Policy Framework (SPF) authentication cannot fill. Plus, without a DKIM record, you won’t be able to fully benefit from Domain-based Message Authentication, Reporting and Conformance (DMARC), a stricter standard available. However, DKIM can be the most complicated standard to configure and implement.

DKIM helps organizations claim responsibility for sending messages in a way verifiable by mailbox providers (MBPs). To do so, there needs to be cryptographic authentication. Creating the record and the associated keys takes some skill.

Hidden Anchor

Why is a DKIM record important?

When working in tandem with SPF, DKIM better protects your brand from spoofing, ensuring email sent to your subscribers is actually from you or your business. DKIM authentication helps mailbox providers detect forged sender addresses.
Hidden Anchor

How do I add a DKIM record to my domain?

This is where DKIM can become a challenge. There are several steps to creating the record and then publishing the record to the DNS, so you may want to get help from your IT department or email service provider (ESP).
Hidden Anchor

Inventory your sending domains

This is an important but often overlooked step. It might seem fine to assume the only sending domain necessary to protect is the one from which you’re sending either the most mail or your marketing mail. However, there can be several other places from which emails generate. Make sure you have a list of every sending domain, including vendors sending mail on behalf of your domains, like those for customer service.
Hidden Anchor

Identify what message elements to sign

Senders decide which elements of the email to include in the signing process. The whole message (header and body) can be included, or just one or more fields of the email header can be included, but the header must be represented as a signature for DKIM to work.

This is an important step because without this clarification, the receiving server won’t know what to check to ensure nothing was manipulated in transit. However, there is an important factor to consider: Do you want forwarded email to fail DKIM?

If you include body copy in the signature, MBPs will add a line of text to indicate the message was forwarded from their server. When this happens, the message will fail since the body of the email changed in transit.

Extra tip:

The elements included in the DKIM signing process must remain unchanged in transit or the DKIM signature will fail authentication.

Hidden Anchor


The core of the DKIM mechanism is encryption. However, you’re not alone in setting this up. Your encryption needs to be configured specifically for your server, and your email service provider (ESP) should be able to help you install a DKIM package tailored to that server.

Once enabled, the platform will automatically create a “hash” of the predetermined signature elements. This will convert readable text into a textual string. This string is unique to your server.

Hidden Anchor

Key creation

The DomainKeys in DKIM include a public key published on the DNS record as well as a private key, which is included in an email’s header.

  • Private: The hash string exists, so now it needs to be encrypted with a private key. This private key gets assigned to a unique combination of domain and selector. Since it is unique, you can have several legitimate private keys for an individual domain. And, since it is private, only the sender has access to it.
  • Public: The public key is the only match for the private key in the email signature. The keypair match enables the email provider to decrypt the DKIM signature back to the original hash string for authentication.
Hidden Anchor

Publish your public key

You’ll also need a selector record. This will include the DKIM subdomain storing the public key. The public key will be included in the TXT record of your domain, which should be published on the DNS.
Hidden Anchor

DKIM headers

A special header is used in each message configured with DKIM. This is the DKIM signature. Within it is information about the sender, message, and location of the public key used for email verification. This header is required by all MBPs using DKIM to confirm your identity.
Hidden Anchor


The DKIM header includes several necessary components represented by using tag=value pairs. The tag will include a single letter and an equal sign, which indicates which piece of information it represents: sender, message, and public key location.

Senders can pick from a number of available tags, but some are required where others are not. If you do happen to miss a required tag, you’ll get a verification error from the MBP. However, if you don’t use an optional tag in your DKIM header, you won’t fail authentication.

There’s a piece of nuance to remember: If you include a tag without a value, it is treated as valueless. If you do not include a tag in your DKIM signature, like an optional tag, the MBP will assume its default value. So, plan to assign value to all your included headers, and confirm you don’t want to adjust the value related to any of the optional ones you choose not to add.

Hidden Anchor

Required tags

There are quite a few required tags. If you don’t include these tags in your DKIM signature, it will return an error.

v= is the version of the signature specification. This should always be 1.

a= indicates the algorithm used to create the DKIM signature.

s= indicates the selector record name used with the domain to locate the public key in DNS. The sender creates this with a letter or number, there is no specific required value.

h= is the entire list of headers used in the signing algorithm to create the hash in the b= tag. The order of the headers in the h= tag is the order they were presented during DKIM signing. This is also the order they should be presented when being verified. The value is the list of header fields which should not change or be removed during message transmission.

b= the actual DKIM signature of headers and body of the mail message

bh= is the computed hash of the message body. If you choose to add the body of your email in the header, this is the string of characters representing the hash created by the hash algorithm.

d= indicates the domain used with the selector record (s=) to locate the public key. The value is the sender’s owned domain.

Hidden Anchor

Sending a signed DKIM message

Once the key is created and encrypted, the message can be sent with the protection of DKIM. If you’ve set everything up appropriately, DKIM authentication should work as intended. There isn’t anything you need to do to facilitate its deployment, but your ESP should be able to provide more specific directions.

After you deploy the message, there are several things happening as the email approaches the receiving server for delivery.

Hidden Anchor

Verifying a signed DKIM message

As the mail is in transit, the receiver will see it has a DKIM signature. The signature reveals the combination of domain and selector signed during encryption. It will need to validate the private key, so the receiving email provider then runs a DNS query to find the public key.

As mentioned, the public key is the only match for the private key signed to the email. This is a “keypair match” and enables the provider to decrypt the DKIM signature down to its original hash string.

If it is a match, the receiving server can trust the message wasn’t manipulated in transit because had it been, the hashes wouldn’t match. The match provides confidence the message isn’t spoofed.

Hidden Anchor

How does DKIM prevent domain spoofing?

Any manipulation of the encrypted keys will indicate something wrong in transit. Since mailbox providers generally will not allow the delivery of a DKIM failure, you’re more protected against phishing, which typically relies on a spoofed domain.
Hidden Anchor


Hidden Anchor

How does DKIM improve deliverability?

With more confidence in the veracity of your email, MBP are more likely to deliver your mail. With high delivery rates, low spam complaints (because recipients will believe your email to be trustworthy), and a general demonstration of taking security seriously, you’ll reap the positive benefits of DKIM authentication. Combining these signals contributes to a good sender reputation and deliverability.
Hidden Anchor

What do SPF and DMARC have to do with DKIM?

SPF, DKIM, and DMARC work together to protect your domains from spoofing. SPF is the most basic level of authentication and is typically the most common. Since DKIM can be so much more complex in its implementation than SPF, marketers will frequently stop there. But without the additional protection from DKIM, marketers then lose out on the potential for DMARC, which is the gold standard of email authentication.
Hidden Anchor

How do I add a DKIM record to my domain?

By using the information shared above, you have the components necessary to plan, configure, and publish your DKIM record to the DNS. Yet as noted, it can be too complex for the general email marketer. In fact, it usually is. Many ESPs have a DKIM wizard to help you complete the process.
Hidden Anchor

What happens when DKIM fails?

If there is no DKIM alignment, the message will fail. This means it will likely impact the message’s ability to be delivered. This can be a good thing, because if it was truly a spoofed email, you’re protecting your recipient from potentially harmful mail. However, this is less desirable if the mail simply fails DKIM because the record isn’t properly configured.
Hidden Anchor

How do I know if DKIM is working?

A comprehensive email performance monitoring tool can help you not only understand your infrastructure, but keep track of it. Validity’s email success platform, Everest, allows you to see the volume of sent email not passing authentication. SPF, DKIM, and DMARC can be tracked to illuminate how much mail is being filtered because of failures. If you notice issues, like consistent DKIM failure of all mail, you can troubleshoot what is causing it right away, rather than waiting for the negative deliverability impact of a damaged reputation.

Hidden Anchor

Is DKIM safe enough?

Having SPF and DKIM properly configured is a key step toward email authentication, but they’re not the last or only steps to take. Once SPF and DKIM are in place, you’re primed to take on DMARC, one of the safest authentication protocols you can use. With only DKIM, you’re leaving the MBP to choose to handle failing mail how it sees fit. With DMARC, you can instruct mailbox providers to route the mail as you choose. So, if a message fails DMARC, you can specify it’s returned to you. If a message fails DKIM, it might be placed in spam without you knowing. Without the benefit of detailed insight, you’re on a path to reputation erosion.
Hidden Anchor

Does DKIM give my messages end-to-end encryption?

No. DKIM does not encrypt messages for content security purposes. The encryption used by DKIM is more of a confirmation your mail is undisturbed, not a preventative to ensure no manipulation does indeed happen.

Discover how Everest can help you set up and monitor proper email authentication to keep your program safe and secure.