What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sending server to digitally sign outgoing messages. The receiving server can then verify this signature using a public key published in DNS, confirming the email hasn't been modified in transit and actually originated from the claimed domain.
How DKIM Works
1. Key Generation: Domain owner generates a public/private key pair
2. DNS Publication: Public key is published as a TXT record
3. Message Signing: Outgoing emails are signed with the private key
4. Signature Verification: Receiving server retrieves public key and verifies signature
The Signing Process
When an email is sent:
1. Mail server calculates a hash of message headers and body
2. Hash is encrypted with the private key (creating the signature)
3. Signature is added as a DKIM-Signature header
4. Email is transmitted
The Verification Process
When an email is received:
1. Server extracts the DKIM-Signature header
2. Finds selector and domain (s=selector; d=domain.com)
3. Queries DNS for selector._domainkey.domain.com TXT record
4. Uses public key to decrypt the signature
5. Calculates its own hash of the message
6. Compares: match = pass, mismatch = fail
DKIM Record Format
DKIM records are TXT records at a specific subdomain:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0..."Record Components
| Tag | Description | Example |
|---|---|---|
| v | Version | v=DKIM1 |
| k | Key type | k=rsa |
| p | Public key (base64) | p=MIGfMA0GCSqG... |
| t | Flags (optional) | t=y (testing mode) |
| h | Hash algorithms | h=sha256 |
Selectors
Selectors allow multiple DKIM keys per domain:
google._domainkey.example.com # Google Workspace
s1._domainkey.example.com # Sendgrid
mailchimp._domainkey.example.com # Mailchimp
Each email service provides its own selector and key.
DKIM Signature Header
A DKIM signature looks like:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google;
c=relaxed/relaxed; q=dns/txt;
h=from:to:subject:date:message-id;
bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
b=AuUoFEfDxTDkHlLXSZEpZj79...
Key fields:
- d=: Signing domain
- s=: Selector (used to find DNS record)
- h=: Headers included in signature
- b=: The actual signature
- bh=: Body hash
Setting Up DKIM
For Google Workspace
1. Go to Admin Console → Apps → Gmail → Authenticate email
2. Generate DKIM key (2048-bit recommended)
3. Add TXT record provided by Google
4. Activate DKIM signing
For Third-Party Services
Most email services (SendGrid, Mailchimp, etc.) provide:
1. A CNAME record to add (for their managed key)
2. Or a TXT record with the public key
Example (SendGrid):
s1._domainkey.example.com CNAME s1.domainkey.sendgrid.netVerifying DKIM
Send a test email to a service that shows headers (Gmail shows authentication results). Using command line:dig google._domainkey.example.com TXTcurl "https://domscan.net/v1/health?domain=example.com"
# Reports DKIM status based on common selectors
DKIM Best Practices
Use 2048-bit Keys
Older 1024-bit keys are increasingly vulnerable. Most providers now default to 2048-bit.
Rotate Keys Periodically
Rotate DKIM keys annually or after security incidents. Publish new key with new selector before switching.
Sign Important Headers
Ensure From, To, Subject, Date, and Message-ID are included in signatures.
Don't Modify Signed Messages
Mailing lists or forwarding services that modify content will break DKIM. Use ARC (Authenticated Received Chain) for forwarded mail.
DKIM Limitations
DKIM alone doesn't prevent spoofing—it only proves a message wasn't altered. A domain can have valid DKIM while attackers send unsigned spoofed email. DMARC addresses this by specifying what to do with unsigned messages.