Home

DKIM: what it is, why it is needed, and how to set it up for a domain

DKIM (DomainKeys Identified Mail) — is a technology that confirms that an email is indeed sent from the domain specified in the sender's address, and it has not been forged along the way. When you send an email, the server adds a special digital signature to it that is linked to your domain. The receiving server verifies this signature using a public key stored in DNS — this is the DKIM record.

Why is DKIM signature needed in email marketing

1. Protection against email forgery. Malicious actors often send fake emails in the name of well-known domains. Without DKIM, email services cannot distinguish genuine messages from fakes. DKIM adds a digital signature to the email that cannot be forged without the private key. Mail servers check this signature and block phishing emails.
2. Trust from email systems. Gmail, Outlook, Yahoo, and other email services take into account the presence and result of DKIM checks when filtering emails. Signed emails with a valid DKIM are more likely to land in the "Inbox."
3. Brand protection. Without DKIM in the email header, a note like "sent via a third-party service" may appear. This reduces trust and tarnishes brand perception. With DKIM, the email appears to be sent from your company. The recipient sees the domain name they trust.
4. Support for DMARC. DMARC requires that an email passes at least one check — either SPF or DKIM — and that the domains match. If DKIM is not configured and SPF fails, email services will reject the email. Without DKIM, you do not receive comprehensive DMARC reports and cannot control who sends emails on your behalf.
5. Increased efficiency of mailings. DKIM improves deliverability, especially in large volumes. Emails with such a signature can display the sender's logo through BIMI. Additionally, proper DKIM configuration (along with SPF and DMARC) grants access to analytics in Gmail Postmaster and other services.

Increase the efficiency of your mailings!

Learn how to do it with CDP Altcraft

View

The mechanism of DKIM verification

1. Key generation and DKIM record publication

The domain owner generates a pair of cryptographic keys: a private key and a public key. The private key is stored on the sender's server, and the public key is placed in DNS as a TXT record — this is the DKIM record for the domain.

The record name includes a selector and the domain with the subdomain _domainkey, for example: selector1._domainkey.example.com. The content (value) specifies the DKIM parameters: version (v=DKIM1), encryption algorithm (k=rsa), and the public key itself (p=…). This record is open to all mail servers, which then use it to verify signed emails.

2. Signing the outgoing email

At this stage, the server:

  • selects certain headers of the email (for example, From, To, Subject, Date) and the body of the message;
  • applies a hashing algorithm considering canonicalization (simple or relaxed);
  • hashes the body of the email separately;
  • encrypts the obtained hashes with the private key;
  • encodes the result in Base64 and adds it to the DKIM-Signature header.

The DKIM-Signature header contains key parameters:

  • v — DKIM version (usually DKIM1);
  • d — sender's domain (for example, example.com);
  • s — selector (for example, selector1);
  • h — list of signed headers (for example, from:to:subject:date);
  • bh — hash of the body of the email (Body Hash);
  • b — the digital signature itself.

3. Verification of DKIM signature by the recipient

The recipient's mail server (for example, Gmail or a corporate gateway) looks for the DKIM-Signature header in the email. Upon finding it, the server:

  • forms a DNS query to search for the TXT record, using the domain (d=) and selector (s=) from the signature;
  • retrieves the public key from DNS;
  • computes hashes of the signed headers and body of the email considering the specified canonicalization;
  • decrypts the signature b= with the public key and compares the result with the computed hash.

If the hashes match, the email is considered genuine (DKIM=pass). If not, the server marks the email as invalid (DKIM=fail) and may apply additional filters.

4. Verification results and their significance

The verification result (pass or fail) influences how the email is processed by spam filters. A valid signature in the email enhances the sender's reputation. An invalid signature (fail) diminishes the reputation more than a total absence of DKIM.

Email services also relay the verification result to the DMARC system. For successful DMARC authentication, the domains in the From field and in the DKIM signature must match. If the email passes DKIM verification and the domains are aligned, DMARC considers the email genuine. If DKIM or SPF fails, the email is rejected or goes to spam according to the domain policy.

5. DKIM limitations

DKIM verification confirms only the integrity of the email and the authenticity of the sender's domain. It does not guarantee that the sender is honest — anyone can register a domain with a valid DKIM.

The DKIM signature is broken if the email is modified in transit. For instance, adding a banner or altering headers results in a signature break. To minimize risk, relaxed-type canonicalization or additional mechanisms like ARC (Authenticated Received Chain) are used.

How to configure DKIM for the domain

Step 1. Generating DKIM keys

Create a key pair — public and private — for your domain. If you are using an email distribution service or mail hosting, it usually offers automatic key generation. Use an RSA key with a length of 2048 bits (at least 1024 bits for compatibility). Choose a selector — any short name in Latin without spaces: dkim1, mail, default. The example uses the selector default.

Step 2. Creating a DKIM record in DNS

Add the DKIM record to the DNS of your domain with the registrar or hosting provider:

  • Record type — TXT.
  • Record name._domainkey.. Pay attention to the underscore and the correct structure of the name.
  • Record value — a string starting with v=DKIM1; k=rsa; p=…, where after p= you specify your public key in Base64 format.

Step 3. Configuring the mail server or service

Configure the server or service to sign outgoing emails with your private key.

If you use a mailing service (ESP), it is usually enough to add the DKIM record to DNS: the service itself signs emails from your domain. In some cases, you may need to upload the private key manually.

Step 4. Checking DKIM setup

Check if DKIM is functioning correctly:

  • send a test email to your inbox in Gmail or Yahoo, open the source headers and ensure that the DKIM status is PASS, and the sender is your domain;
  • verify the presence of the TXT record using a command-line utility: dig TXT default._domainkey.yourdomain.com
  • analyze DMARC reports if you have set up a reporting policy: they show whether the DKIM verification passed.

Step 5. Maintenance and regular monitoring

After setup, regularly monitor the status of DKIM:

  • update DKIM keys every 1-2 years for enhanced security: create new keys, publish a new record in DNS, switch the server to use the new key, and remove the old record;
  • when adding new domains, immediately set up DKIM for them using a similar scheme.

Errors in DKIM setup and their solutions

1. DKIM record not found (No DKIM record)

The mail server cannot find your public key in DNS. This occurs if you did not add the DKIM record, specified it incorrectly, or forgot to include _domainkey in the name. Sometimes, DNS servers have not yet updated after adding the record.

What to do: check that you created a TXT record with a name like selector._domainkey.example.com. Ensure that it is in the correct zone. Use dig, nslookup, or online checks to verify the existence of the record. If necessary, correct it and wait for DNS updates (usually 15-60 minutes).

2. Incorrect DKIM record format

An incorrect record format causes errors during verification. This is often the result of extra spaces, quotes, or automatic line breaks in the DNS management panel. Sometimes a CNAME is created instead of a TXT record, which also causes failure.

What to do: check that the string starts with v=DKIM1; and fully conforms to the format obtained during key generation. Remove any extra characters. Ensure you selected TXT and not another record type.

3. DKIM signature fails verification (DKIM=fail)

You published the key, but the signature still fails. This may mean that you are using an incorrect selector, an unsuitable key, or the email was altered in transit (for instance, modified by an external service). Sometimes, the signature indicates one domain while the email was sent from another.

What to do: verify that the selector and domain in the signature match the record in DNS. Ensure your server is signing emails with the correct key. If the email passes through third-party systems, disable modifications or enable re-signing.

4. Duplicate DKIM records

When adding or replacing a key in DNS, old records often remain. If you have multiple TXT records with the same name, the verification will not work.

What to do: remove extra records. For each selector, keep only one record. When rotating, use unique selectors (for example, dkim2025) and delete the old records when switching to new keys.

Conclusion

DKIM is a technology that confirms that the email is indeed sent from the specified domain and has not been altered on its way to the recipient. Configuring DKIM plays a key role in protecting the brand from phishing, improving email deliverability, and strengthening trust in the sender.

DKIM is a mandatory part of working with mail infrastructure and an essential condition for maintaining a good reputation in the digital environment.

#Craft Marketing

Trends, research, technologies and a little about us

Go to Telegram
airplane, banner, telegram
airplane, banner, telegram

We’ll show you the platform and find a solution tailored to your business goals

Sign up for a demo
subscription, banner, email

We’ll show you the platform and find a solution tailored to your business goals