DKIM (DomainKeys Identified Mail)

What is DKIM (DomainKeys Identified Mail)?

DomainKeys Identified Mail (DKIM) is an authentication technology that attaches a digital signature to each email. This signature proves that the message came from the stated domain and that its content wasn’t altered in transit. In short, DKIM tells receiving mail servers, “This email really is from us, and no one tampered with it.”

Why it matters

Without DKIM, attackers can forge your domain and trick recipients with phishing or spam. ISPs like Gmail and Outlook strongly prefer messages with valid DKIM signatures and may filter unsigned mail into spam. Proper DKIM setup improves Inbox Placement, strengthens your brand’s credibility, and is an essential part of email authentication alongside SPF and DMARC.

How it works

When you send an email, your Email Service Provider (ESP) uses a private key to generate a signature. That signature is added to the email header. When the receiving mail server gets the message, it checks your DNS records for the public key you've published. If the signature matches the public key, the email is validated. If not, the message may be flagged as suspicious or rejected, depending on DMARC policies.

Examples

• AutoSend automatically signing outgoing emails with DKIM for all verified domains.

• A company publishing a DNS TXT record like default._domainkey.example.com with its public DKIM key.

• Gmail marking unsigned mail as potentially dangerous.

Best practices

• Use strong keys (2048-bit instead of 1024-bit).

• Rotate keys periodically for security.

• Validate your DKIM setup using testing tools before going live.

• Ensure alignment with your domain so DMARC passes consistently.

Related terms

SPF, DMARC, Email Deliverability

FAQs

What happens if DKIM fails?
If the receiving server can’t validate the DKIM signature, the email may still deliver but is more likely to be routed to spam. If your DMARC policy is strict (quarantine or reject), the email may be blocked entirely.

Do I need DKIM if I already have SPF?
Yes. SPF only verifies that the sending server is authorized, not that the email’s contents are intact. DKIM provides a second layer of security by ensuring integrity. Together, they form the foundation of email authentication.

Is DKIM mandatory?
Technically, no. But practically, yes—most major mailbox providers either require or strongly recommend it. Without DKIM, your deliverability will suffer.