What is DKIM? A tamper-evident signature for email
DKIM stands for DomainKeys Identified Mail. A sending server signs selected headers and the message body with a private key. The receiver retrieves the matching public key from DNS and verifies the signature. A valid result proves that the signing domain took responsibility for the message and that signed content was not altered in transit.
Updated July 14, 2026
How DKIM signing and verification work
- Your email provider creates a private/public key pair. The private key stays on its sending system.
- You publish the public key as a TXT or provider-directed CNAME record in DNS.
- For each outgoing message, the provider hashes the body and selected headers, signs the result, and adds a
DKIM-Signatureheader. - The receiver reads the signing domain (
d=) and selector (s=), then requests the public key atselector._domainkey.domain. - If the cryptographic verification succeeds, DKIM passes.
Domains, selectors, and DNS records
Header: DKIM-Signature: ... d=example.com; s=mail2026; ...
DNS: mail2026._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIB..."A selector is simply a key name. It lets a domain publish multiple keys at once: one for Google Workspace, one for a marketing platform, and a new one during rotation. Selectors are not secret; they appear in every signed message.
Some providers give you a CNAME instead of a TXT value. That is normal: the CNAME delegates key hosting and rotation to the provider. Publish exactly the record type and host it supplies.
DKIM alignment under DMARC
A cryptographically valid signature can still fail DMARC if it signs with an unrelated domain. For DKIM to contribute a DMARC pass, the d= domain must align with the visible From domain. Under relaxed alignment, a subdomain relationship is enough; strict alignment requires an exact match.
| Visible From | DKIM d= | DKIM result | DMARC-aligned? |
|---|---|---|---|
example.com | example.com | Pass | Yes |
example.com | mail.example.com | Pass | Yes under relaxed alignment |
example.com | vendor-send.net | Pass | No |
Why DKIM fails
- The public key is missing, malformed, published under the wrong selector, or not fully propagated.
- The sending platform has a key configured but DKIM signing was never enabled.
- The provider rotated its private key while DNS still contains the old public key.
- A forwarding gateway, footer tool, or mailing list changed signed headers or the body.
- The message uses an expired signature or an unsupported/weak key configuration.
A body hash did not verify result points specifically to message-body changes. Use the header analyzer to see the receiver's result and the DKIM checker to test the public key.
How to enable and maintain DKIM
Generate or request a key in each sending platform, publish its DNS record, wait for the provider to detect it, and explicitly turn on signing. Then send a real message and confirm that dkim=pass uses a d= domain aligned with your From address. The full workflow is in how to enable DKIM.
Use 2048-bit RSA keys when your provider and DNS host support them, or the provider's supported modern alternative. Rotate keys periodically and immediately after suspected private-key exposure. Rotation is safer when you publish a new selector before retiring the old one, allowing in-flight mail to verify.
Sources and further reading
- RFC 6376 — DomainKeys Identified Mail (DKIM) — The definitive DKIM signing, selector, key, and verification specification.
- RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC) — The DMARC policy, alignment, reporting, and record-format specification.