DKIM: what it is, why it is needed, and how to set it up for a domain
Why is DKIM signature needed in email marketing
The mechanism of DKIM verification
1. Key generation and DKIM record publication
The domain owner generates a pair of cryptographic keys: a private key and a public key. The private key is stored on the sender's server, and the public key is placed in DNS as a TXT record — this is the DKIM record for the domain.
_domainkey
, for example: selector1._domainkey.example.com
. The content (value) specifies the DKIM parameters: version (v=DKIM1), encryption algorithm (k=rsa), and the public key itself (p=…). This record is open to all mail servers, which then use it to verify signed emails.2. Signing the outgoing email
At this stage, the server:
- selects certain headers of the email (for example, From, To, Subject, Date) and the body of the message;
- applies a hashing algorithm considering canonicalization (simple or relaxed);
- hashes the body of the email separately;
- encrypts the obtained hashes with the private key;
- encodes the result in Base64 and adds it to the DKIM-Signature header.
The DKIM-Signature header contains key parameters:
- v — DKIM version (usually DKIM1);
- d — sender's domain (for example, example.com);
- s — selector (for example, selector1);
- h — list of signed headers (for example, from:to:subject:date);
- bh — hash of the body of the email (Body Hash);
- b — the digital signature itself.
3. Verification of DKIM signature by the recipient
The recipient's mail server (for example, Gmail or a corporate gateway) looks for the DKIM-Signature header in the email. Upon finding it, the server:
- forms a DNS query to search for the TXT record, using the domain (d=) and selector (s=) from the signature;
- retrieves the public key from DNS;
- computes hashes of the signed headers and body of the email considering the specified canonicalization;
- decrypts the signature b= with the public key and compares the result with the computed hash.
If the hashes match, the email is considered genuine (DKIM=pass). If not, the server marks the email as invalid (DKIM=fail) and may apply additional filters.
4. Verification results and their significance
The verification result (pass or fail) influences how the email is processed by spam filters. A valid signature in the email enhances the sender's reputation. An invalid signature (fail) diminishes the reputation more than a total absence of DKIM.
Email services also relay the verification result to the DMARC system. For successful DMARC authentication, the domains in the From field and in the DKIM signature must match. If the email passes DKIM verification and the domains are aligned, DMARC considers the email genuine. If DKIM or SPF fails, the email is rejected or goes to spam according to the domain policy.
5. DKIM limitations
DKIM verification confirms only the integrity of the email and the authenticity of the sender's domain. It does not guarantee that the sender is honest — anyone can register a domain with a valid DKIM.
The DKIM signature is broken if the email is modified in transit. For instance, adding a banner or altering headers results in a signature break. To minimize risk, relaxed-type canonicalization or additional mechanisms like ARC (Authenticated Received Chain) are used.
How to configure DKIM for the domain
Step 1. Generating DKIM keys
Create a key pair — public and private — for your domain. If you are using an email distribution service or mail hosting, it usually offers automatic key generation. Use an RSA key with a length of 2048 bits (at least 1024 bits for compatibility). Choose a selector — any short name in Latin without spaces: dkim1, mail, default. The example uses the selector default.
Step 2. Creating a DKIM record in DNS
Add the DKIM record to the DNS of your domain with the registrar or hosting provider:
- Record type — TXT.
- Record name —
._domainkey. . Pay attention to the underscore and the correct structure of the name. - Record value — a string starting with v=DKIM1; k=rsa; p=…, where after p= you specify your public key in Base64 format.
Step 3. Configuring the mail server or service
Configure the server or service to sign outgoing emails with your private key.
If you use a mailing service (ESP), it is usually enough to add the DKIM record to DNS: the service itself signs emails from your domain. In some cases, you may need to upload the private key manually.
Step 4. Checking DKIM setup
Check if DKIM is functioning correctly:
- send a test email to your inbox in Gmail or Yahoo, open the source headers and ensure that the DKIM status is PASS, and the sender is your domain;
- verify the presence of the TXT record using a command-line utility: dig TXT default._domainkey.yourdomain.com
- analyze DMARC reports if you have set up a reporting policy: they show whether the DKIM verification passed.
Step 5. Maintenance and regular monitoring
After setup, regularly monitor the status of DKIM:
- update DKIM keys every 1-2 years for enhanced security: create new keys, publish a new record in DNS, switch the server to use the new key, and remove the old record;
- when adding new domains, immediately set up DKIM for them using a similar scheme.
Errors in DKIM setup and their solutions
1. DKIM record not found (No DKIM record)
The mail server cannot find your public key in DNS. This occurs if you did not add the DKIM record, specified it incorrectly, or forgot to include _domainkey in the name. Sometimes, DNS servers have not yet updated after adding the record.
2. Incorrect DKIM record format
An incorrect record format causes errors during verification. This is often the result of extra spaces, quotes, or automatic line breaks in the DNS management panel. Sometimes a CNAME is created instead of a TXT record, which also causes failure.
3. DKIM signature fails verification (DKIM=fail)
You published the key, but the signature still fails. This may mean that you are using an incorrect selector, an unsuitable key, or the email was altered in transit (for instance, modified by an external service). Sometimes, the signature indicates one domain while the email was sent from another.
4. Duplicate DKIM records
When adding or replacing a key in DNS, old records often remain. If you have multiple TXT records with the same name, the verification will not work.
Conclusion
DKIM is a technology that confirms that the email is indeed sent from the specified domain and has not been altered on its way to the recipient. Configuring DKIM plays a key role in protecting the brand from phishing, improving email deliverability, and strengthening trust in the sender.
DKIM is a mandatory part of working with mail infrastructure and an essential condition for maintaining a good reputation in the digital environment.