What is a DKIM record?
DomainKeys Identified Mail (DKIM) is a core email authentication standard necessary to keep your email safe. It was designed to fill some of the gaps Sender Policy Framework (SPF) authentication cannot fill. Plus, without a DKIM record, you won’t be able to fully benefit from Domain-based Message Authentication, Reporting and Conformance (DMARC), a stricter standard available. However, DKIM can be the most complicated standard to configure and implement.
DKIM helps organizations claim responsibility for sending messages in a way verifiable by mailbox providers (MBPs). To do so, there needs to be cryptographic authentication. Creating the record and the associated keys takes some skill.
Why is a DKIM record important?

How do I add a DKIM record to my domain?
Inventory your sending domains
Identify what message elements to sign
This is an important step because without this clarification, the receiving server won’t know what to check to ensure nothing was manipulated in transit. However, there is an important factor to consider: Do you want forwarded email to fail DKIM?
If you include body copy in the signature, MBPs will add a line of text to indicate the message was forwarded from their server. When this happens, the message will fail since the body of the email changed in transit.
Extra tip:
The elements included in the DKIM signing process must remain unchanged in transit or the DKIM signature will fail authentication.
Encrypt
Once enabled, the platform will automatically create a “hash” of the predetermined signature elements. This will convert readable text into a textual string. This string is unique to your server.
Key creation
The DomainKeys in DKIM include a public key published on the DNS record as well as a private key, which is included in an email’s header.
- Private: The hash string exists, so now it needs to be encrypted with a private key. This private key gets assigned to a unique combination of domain and selector. Since it is unique, you can have several legitimate private keys for an individual domain. And, since it is private, only the sender has access to it.
- Public: The public key is the only match for the private key in the email signature. The keypair match enables the email provider to decrypt the DKIM signature back to the original hash string for authentication.
Publish your public key
DKIM headers
Tags
Senders can pick from a number of available tags, but some are required where others are not. If you do happen to miss a required tag, you’ll get a verification error from the MBP. However, if you don’t use an optional tag in your DKIM header, you won’t fail authentication.
There’s a piece of nuance to remember: If you include a tag without a value, it is treated as valueless. If you do not include a tag in your DKIM signature, like an optional tag, the MBP will assume its default value. So, plan to assign value to all your included headers, and confirm you don’t want to adjust the value related to any of the optional ones you choose not to add.
Required tags
v= is the version of the signature specification. This should always be 1.
a= indicates the algorithm used to create the DKIM signature.
s= indicates the selector record name used with the domain to locate the public key in DNS. The sender creates this with a letter or number, there is no specific required value.
h= is the entire list of headers used in the signing algorithm to create the hash in the b= tag. The order of the headers in the h= tag is the order they were presented during DKIM signing. This is also the order they should be presented when being verified. The value is the list of header fields which should not change or be removed during message transmission.
b= the actual DKIM signature of headers and body of the mail message
bh= is the computed hash of the message body. If you choose to add the body of your email in the header, this is the string of characters representing the hash created by the hash algorithm.
d= indicates the domain used with the selector record (s=) to locate the public key. The value is the sender’s owned domain.
Sending a signed DKIM message
After you deploy the message, there are several things happening as the email approaches the receiving server for delivery.
Verifying a signed DKIM message
As mentioned, the public key is the only match for the private key signed to the email. This is a “keypair match” and enables the provider to decrypt the DKIM signature down to its original hash string.
If it is a match, the receiving server can trust the message wasn’t manipulated in transit because had it been, the hashes wouldn’t match. The match provides confidence the message isn’t spoofed.

How does DKIM prevent domain spoofing?
FAQ
How does DKIM improve deliverability?
What do SPF and DMARC have to do with DKIM?
How do I add a DKIM record to my domain?
What happens when DKIM fails?
How do I know if DKIM is working?
A comprehensive email performance monitoring tool can help you not only understand your infrastructure, but keep track of it. Validity’s email success platform, Everest, allows you to see the volume of sent email not passing authentication. SPF, DKIM, and DMARC can be tracked to illuminate how much mail is being filtered because of failures. If you notice issues, like consistent DKIM failure of all mail, you can troubleshoot what is causing it right away, rather than waiting for the negative deliverability impact of a damaged reputation.
Is DKIM safe enough?
Does DKIM give my messages end-to-end encryption?
Discover how Everest can help you set up and monitor proper email authentication to keep your program safe and secure.