Free Email Verifier

What is DKIM in email and why you need it

· 5 min read

DKIM (DomainKeys Identified Mail) is an email authentication standard. It adds a cryptographic signature to each message header. The receiving server checks that signature against a public key published in your DNS. A valid signature proves the message came from your domain and was not altered in transit.

What does DKIM stand for and what does it do?

DKIM stands for DomainKeys Identified Mail. It is a sender authentication method that lets a receiving mail server confirm two things: the message really came from the domain it claims, and the signed parts were not changed after sending. It works quietly in the message headers.

Your mail server (or your email platform) holds a private key. The matching public key lives in a DNS TXT record on your domain. When you send, the server signs the message with the private key. Any receiver can look up the public key and check the signature. No shared secret is needed.

How does DKIM prove a message was not altered?

When you send, DKIM hashes selected headers and the body, then encrypts that hash with your private key. That becomes the signature. The receiver decrypts it with your public key and recomputes the hash. If both hashes match, nothing in the signed content changed. If they differ, the check fails.

Two hashes matter. The body hash (bh) covers the message body. The header hash covers a listed set of headers, like From, Subject, and Date. If a relay rewrites the subject or a spammer tampers with the body, the recomputed hash will not match. The signature breaks and the receiver knows.

This is why DKIM survives forwarding better than SPF. SPF checks the sending server's IP, which changes when a message is forwarded. DKIM travels with the message. As long as the forwarder does not modify the signed headers or body, the signature keeps passing. That portability is a real strength.

What does a DKIM signature look like?

A DKIM signature is a header named DKIM-Signature, built from tag and value pairs. Each tag has a job. You rarely edit these by hand, but knowing them helps you read a failed check. Here are the tags you will see most often.

TagWhat it means
vDKIM version, almost always 1
aSigning algorithm, typically rsa-sha256
dThe signing domain that publishes the public key
sSelector, points to the exact DNS record holding the key
bhHash of the message body
hList of headers covered by the signature
bThe cryptographic signature itself

The selector (s) matters more than it looks. It lets you publish several keys on one domain, one per sending service. Rotate a key or add a new provider, and you just add another selector record. Nothing else has to change.

How do you set up DKIM?

Setting up DKIM takes three moves: turn on signing in your email platform, copy the public key it gives you, and publish that key as a DNS TXT record. Then send a test message and confirm the signature passes. Most providers walk you through the first two steps.

  1. Enable DKIM in your sending platform, such as Google Workspace, Microsoft 365, or your ESP. It creates a public and private key pair and keeps the private key.
  2. Copy the selector name and the public key value the platform gives you.
  3. Add a DNS TXT record at selector._domainkey.yourdomain.com holding that public key. Save it.
  4. Wait for DNS to propagate. This usually takes minutes, sometimes a few hours.
  5. Send a test email to an inbox you control, open the headers, and look for dkim=pass.
  6. Repeat for every service that sends as your domain, each with its own selector.

One detail trips people up: DNS caching. If you publish the record and test too fast, you may see dkim=none. Give it time, then recheck. Also keep the private key private. If a platform ever asks you to paste a private key into DNS, stop. Only the public key goes public.

Authentication decides whether a mailbox trusts your domain. List quality decides whether the address exists at all. Before your next send, paste your list into the Free Email Verifier or drop a CSV. It parses in your browser, never uploads the file, and flags invalid, risky, and disposable addresses without spending quota on obvious junk. Free for 10 checks a day, no signup, or 100 with just an email. If you would rather hand the whole pipeline to someone else, Synthisia runs the outreach and books the meetings for you.

Check your list right now, free

10 checks a day with no signup. 100 a day with just your email.

Verify emails free

What are the most common DKIM mistakes?

Most DKIM failures come from small setup errors, not broken cryptography. The record sits on the wrong host, the key gets mangled on paste, or a new sending tool goes unsigned. Each one turns a pass into a fail or a none. Check these before you blame the standard itself.

  • The TXT record on the wrong host. It belongs at selector._domainkey.yourdomain.com, not the root.
  • A public key broken by line breaks or stray spaces when pasted into DNS.
  • A new tool or ESP sending mail that no one set up to sign, so it arrives unsigned.
  • An old selector left active after a key rotation, which muddies your reporting.
  • A weak 1024-bit key where 2048-bit is now standard.

How does DKIM work with SPF and DMARC?

DKIM rarely works alone. SPF checks which servers may send for your domain. DKIM proves the message was signed by your domain and not altered. DMARC ties them together and tells receivers what to do when checks fail. You want all three published for full authentication.

DMARC also needs alignment. The domain in your From header should match the DKIM signing domain (d=). When the two line up and DKIM passes, the message is DMARC aligned. That alignment is what lets you move a DMARC policy from monitoring to quarantine or reject with confidence.

Think of the three records as a stack. SPF and DKIM are the checks. DMARC is the policy plus reporting. Turn on DMARC reporting first in monitor mode. Read the reports for a week or two. You will spot every service sending as your domain, including ones you forgot about.

Does DKIM improve deliverability?

DKIM does not guarantee the inbox, but it removes a common reason for rejection. Major mailbox providers now expect authentication from bulk senders. A domain that signs consistently, aligns with DMARC, and keeps bounce rate under 2% builds sender reputation over time. Missing DKIM makes every other signal weaker.

Authentication and list quality work together. DKIM proves who sent the message. Clean data keeps you off spam traps and away from hard bounces. Run your list through the Free Email Verifier before a send to drop invalid and risky addresses, then let DKIM, SPF, and DMARC vouch for the mail that goes out.