DKIM (DomainKeys Identified Mail) is an email authentication method that helps verify whether an email was actually sent by the domain it claims to be from—and whether its contents were tampered with in transit.
If you use a custom domain like @yourcompany.com, DKIM adds cryptographic protection to your messages, giving receiving servers a way to trust their integrity and origin. It’s also a critical component for DMARC to function correctly.
What Does DKIM Do?
When your mail server sends a message, DKIM generates a digital signature and inserts it into the email header. This signature is based on the content of the message and is unique to each email.
The receiving server checks this signature against a DKIM public key that lives in your domain’s DNS. If the values match, the message is authenticated. If they don’t, the message may be flagged or rejected depending on DMARC or local policies.
Example DKIM Record (DNS TXT)
default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQE..."defaultis the selector (it can be named anything)_domainkeyis always part of the DKIM naming conventionv=DKIM1indicates the versionk=rsaspecifies the key type (RSA is standard)p=is your public key
The private key used to generate the signature stays securely on your mail server. Only the public key is published in DNS.
DKIM vs SPF: What’s the Difference?
| Feature | DKIM | SPF |
|---|---|---|
| Authenticates | Message content + sender domain | Sending server IP |
| Uses DNS? | Yes (public key) | Yes (authorized IPs) |
| Survives forwarding? | ✅ Yes | ❌ No |
| Checks “From” header? | ✅ Yes (when aligned) | ❌ No |
| Supports encryption? | ✅ (signature-based) | ❌ (plain-text) |
Both work best when combined under DMARC.
DKIM Alignment and DMARC
For DKIM to contribute to a DMARC pass, the domain in the d= tag of the DKIM signature must match—or be a subdomain of—the domain in the visible “From” header.
- Strict alignment: Exact match required
- Relaxed alignment: Subdomains are acceptable (e.g.,
mail.example.compasses forexample.com)
If the DKIM signature passes but alignment fails, it won’t contribute to DMARC policy enforcement.
Why DKIM Matters for Your Business
Without DKIM, messages can be:
- Modified in transit without detection
- Rejected by recipients with strict security policies
- More likely to land in spam folders
- Ineligible for DMARC pass, weakening protection
With DKIM, your messages:
- Are cryptographically verified
- Appear more trustworthy to recipients
- Support full DMARC enforcement
- May qualify for inbox features like BIMI
Need Help Setting Up DKIM?
DKIM can be tricky to configure, especially when multiple systems (like CRMs, newsletter tools, or third-party senders) are involved. At Forward Technologies, we help businesses generate, publish, and verify DKIM records—whether you’re starting from scratch or fixing legacy issues.
Contact us for help configuring your DKIM records »Email Security Consulting
