DKIM explained — a simple guide
DKIM (DomainKeys Identified Mail) adds a digital signature to your emails that receivers can verify. It proves the email actually came from your domain and was not altered in transit.
How DKIM works
When you send an email, your mail server signs it with a private key and adds a DKIM-Signature header. The corresponding public key is published in your DNS. Receiving servers look up the public key and use it to verify the signature.
If the signature is valid: the email was sent by someone with access to your private key and was not modified. If invalid or missing: the receiver cannot verify authenticity.
What a DKIM DNS record looks like
DKIM keys are published as TXT records at selector._domainkey.yourdomain.com. The "selector" is a name chosen by your email provider. Google Workspace uses google, Microsoft uses selector1 and selector2.
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...
DKIM and DMARC alignment
For DMARC to pass via DKIM, the domain in the DKIM signature must align with the domain in the email's From: header. In relaxed mode (adkim=r), subdomains also align. In strict mode (adkim=s), it must be an exact match.
How to enable DKIM
DKIM is typically configured in your email provider's admin panel, not directly in DNS:
- Google Workspace: Admin console → Apps → Google Workspace → Gmail → Authenticate email
- Microsoft 365: Microsoft 365 admin center → Security → Email & collaboration → DKIM
- Other providers: Look for "DKIM", "email authentication", or "domain verification" in settings
Your provider will give you one or more DNS records to add. Once added and propagated, enable DKIM signing in the provider's dashboard.
Why DKIM alone is not enough
DKIM proves authenticity but does not tell receivers what to do when authentication fails. That is DMARC's job. DKIM + SPF + DMARC together give you full protection against spoofing.
Check if DKIM is configured for your domain.
Check my domain — free