What is DKIM? A tamper-evident signature for email

DKIM stands for DomainKeys Identified Mail. A sending server signs selected headers and the message body with a private key. The receiver retrieves the matching public key from DNS and verifies the signature. A valid result proves that the signing domain took responsibility for the message and that signed content was not altered in transit.

Updated July 14, 2026

How DKIM signing and verification work

  1. Your email provider creates a private/public key pair. The private key stays on its sending system.
  2. You publish the public key as a TXT or provider-directed CNAME record in DNS.
  3. For each outgoing message, the provider hashes the body and selected headers, signs the result, and adds a DKIM-Signature header.
  4. The receiver reads the signing domain (d=) and selector (s=), then requests the public key at selector._domainkey.domain.
  5. If the cryptographic verification succeeds, DKIM passes.

Domains, selectors, and DNS records

Header: DKIM-Signature: ... d=example.com; s=mail2026; ...
DNS:    mail2026._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIB..."
The selector and signing domain tell the receiver exactly where to find the public key.

A selector is simply a key name. It lets a domain publish multiple keys at once: one for Google Workspace, one for a marketing platform, and a new one during rotation. Selectors are not secret; they appear in every signed message.

Some providers give you a CNAME instead of a TXT value. That is normal: the CNAME delegates key hosting and rotation to the provider. Publish exactly the record type and host it supplies.

DKIM alignment under DMARC

A cryptographically valid signature can still fail DMARC if it signs with an unrelated domain. For DKIM to contribute a DMARC pass, the d= domain must align with the visible From domain. Under relaxed alignment, a subdomain relationship is enough; strict alignment requires an exact match.

Visible FromDKIM d=DKIM resultDMARC-aligned?
example.comexample.comPassYes
example.commail.example.comPassYes under relaxed alignment
example.comvendor-send.netPassNo

Why DKIM fails

  • The public key is missing, malformed, published under the wrong selector, or not fully propagated.
  • The sending platform has a key configured but DKIM signing was never enabled.
  • The provider rotated its private key while DNS still contains the old public key.
  • A forwarding gateway, footer tool, or mailing list changed signed headers or the body.
  • The message uses an expired signature or an unsupported/weak key configuration.

A body hash did not verify result points specifically to message-body changes. Use the header analyzer to see the receiver's result and the DKIM checker to test the public key.

How to enable and maintain DKIM

Generate or request a key in each sending platform, publish its DNS record, wait for the provider to detect it, and explicitly turn on signing. Then send a real message and confirm that dkim=pass uses a d= domain aligned with your From address. The full workflow is in how to enable DKIM.

Use 2048-bit RSA keys when your provider and DNS host support them, or the provider's supported modern alternative. Rotate keys periodically and immediately after suspected private-key exposure. Rotation is safer when you publish a new selector before retiring the old one, allowing in-flight mail to verify.

Sources and further reading

Common questions

Is a DKIM key a password?+

No. The public key is intentionally visible in DNS. Only the private key must remain secret, and it normally stays inside your email provider's infrastructure.

Can I have multiple DKIM records?+

Yes. Each selector has its own DNS name, so multiple providers and rotating keys can coexist. What you cannot do is publish conflicting values at the same selector name.

Does DKIM encrypt email?+

No. DKIM authenticates a signature and detects changes to signed content; it does not hide the message. Transport encryption is handled separately by TLS.

Why does DKIM pass but DMARC fail?+

The signing domain may not align with the visible From domain. Configure custom-domain DKIM at the sender so its `d=` value uses your domain or an aligned subdomain.