DKIM
Definition
DKIM: DomainKeys Identified Mail (DKIM) is an email authentication method that uses cryptographic digital signatures to verify that an email was genuinely sent by an authorized sender from a specific domain and that the message content has not been altered during transmission.
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email security standard that adds a cryptographic signature to every email you send. Think of it as a tamper-evident seal for your emails. When you send a message, your mail server signs it with a private key that only you possess. The receiving server then uses your public key (published in your DNS records) to verify the signature. If the signature matches, the email is authentic and unaltered. If not, something is wrong.
Unlike SPF, which only verifies the sending server, DKIM verifies the actual email content. If anyone modifies the email in transit - changing the subject line, altering the body, or tampering with headers - the DKIM signature becomes invalid. This makes DKIM especially valuable for detecting man-in-the-middle attacks and email tampering.
How DKIM Authentication Works
The DKIM signing and verification process involves public-key cryptography:
- Key Generation - You create a public/private key pair. The private key stays on your mail server (never shared). The public key is published as a DNS TXT record.
- Signing - When sending an email, your server creates a unique hash of specific email headers and body content, then encrypts this hash using your private key to create the DKIM signature.
- Transmission - The signature is added to a special DKIM-Signature header in the email.
- Verification - The receiving server extracts the signature, looks up your public key in DNS, decrypts the signature, creates its own hash of the received email, and compares the two hashes.
- Result - If hashes match, DKIM passes. If they differ, DKIM fails (indicating tampering or forgery).
Anatomy of a DKIM Signature
A DKIM signature header looks complex but has clear components:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector; h=from:to:subject:date; b=signature...
- v=1 - DKIM version
- a=rsa-sha256 - Algorithm used for signing
- d= - The domain claiming responsibility (your domain)
- s= - Selector (allows multiple keys per domain)
- h= - Headers included in the signature
- b= - The actual signature (base64 encoded)
DKIM Selectors Explained
The selector mechanism allows you to have multiple DKIM keys for one domain. This is essential because different services (Google Workspace, your marketing platform, your transactional email provider) each need their own keys. For example, Google might use selector "google" while your CRM uses "crm1" - receiving servers look up the public key at selector._domainkey.yourdomain.com to find the correct key.
Why DKIM Matters for Email Marketers
DKIM is crucial for several reasons:
- Authentication - Proves emails genuinely come from your domain, not imposters
- Integrity - Ensures email content was not modified in transit
- Reputation - Positive sending behavior builds DKIM-associated reputation
- DMARC Requirement - DMARC (the policy layer) requires either SPF or DKIM to pass for alignment
- Deliverability - Gmail, Outlook, and Yahoo all consider DKIM in spam filtering decisions
Common DKIM Misconceptions
Many assume DKIM "encrypts" emails - it does not. DKIM signs emails for authentication and integrity, but the content remains readable. Others believe DKIM prevents spam - it only helps receivers identify legitimate senders, not filter content quality.
A frequent mistake is assuming one DKIM key covers all email sources. If you send through Gmail, Mailchimp, and your CRM, each service needs its own DKIM configuration. Emails from services without proper DKIM setup will fail authentication even if your main domain has DKIM configured.
Setting Up DKIM
Most email providers handle DKIM automatically. Google Workspace, Microsoft 365, and major marketing platforms generate keys and provide you with a DNS record to publish. The setup is simply: copy the TXT record they provide, paste it into your DNS settings at the specified selector._domainkey.yourdomain.com, and wait for propagation.
WarmySender connects via OAuth to Gmail and Microsoft 365, which have DKIM already configured. For custom SMTP connections, we verify DKIM is properly set up during mailbox connection to ensure optimal deliverability.
Frequently Asked Questions
Is DKIM required to send email?
DKIM is not technically required - emails will send without it. However, major email providers like Gmail and Outlook heavily weight DKIM in spam filtering decisions. Without DKIM, your emails are far more likely to land in spam or be blocked. For cold email outreach, DKIM is effectively mandatory for achieving reasonable inbox placement rates.
How do I set up DKIM for my domain?
For Google Workspace: Admin Console > Apps > Google Workspace > Gmail > Authenticate email > Generate new record. For Microsoft 365: Admin center > Settings > Domains > select domain > DNS records. For other providers, check their documentation for DKIM key generation. Once you have the key, add it as a TXT record in your DNS at selector._domainkey.yourdomain.com.
What causes DKIM to fail?
Common causes include: DNS record not published or incorrect, email modified in transit (content filters adding footers can break DKIM), key rotation without updating DNS, using wrong selector for the sending service, or DNS propagation delays after adding records. You can test DKIM using mail-tester.com or by sending test emails to Gmail and checking message headers.