What is DKIM?
DKIM stands for DomainKeys Identified Mail. It is the cryptographic component of email authentication. While SPF specifies which servers are allowed to send email for your domain, DKIM proves that the actual message content and key headers have not been modified after leaving your authorized servers.
The sending system signs each email using a private key. Receiving servers fetch the corresponding public key from your DNS and verify the signature. If it matches, the email is considered authentic.
What a DKIM DNS Record Looks Like
Your email sending provider will give you a selector and public key to publish as a DNS TXT record:
Host: s1._domainkey.example.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...v=DKIM1— DKIM versionk=rsa— Key algorithm (RSA is most common; ED25519 is also supported by some providers)p=...— Base64-encoded public keys1— Selector (allows you to rotate keys without downtime)
DKIM Best Practices
- Use at least 2048-bit RSA keys (1024-bit keys are considered weak)
- Rotate keys periodically (recommended at least once per year) using a new selector
- Sign every outgoing message, including transactional emails, bounces, and auto-replies
- Ensure the DKIM
d=domain aligns with the visibleFrom:address for DMARC to pass
For a complete, step-by-step setup including SPF and DMARC, see the Email Authentication Guide.