DKIM (DomainKeys Identified Mail) is an authentication method used to verify the integrity and legitimacy of email messages. Each email is digitally signed using a private key. The receiving mail server then checks this signature using a matching public key stored in your domain’s DNS.
This ensures that the message hasn’t been altered in transit and that it truly comes from the claimed sender.
Why should you use DKIM?
DKIM isn’t strictly required, but it’s highly recommended. Emails that are signed with DKIM are more likely to be recognized as trustworthy and therefore less likely to be flagged as spam or junk by providers like Gmail, Outlook, or Apple Mail.
DKIM is also a key component of DMARC, a standard that helps prevent others from sending fraudulent emails using your domain (spoofing). Along with SPF, DKIM helps establish and maintain your domain’s sending reputation.
By signing emails with your domain, you build a reputation that stays with you—even if you change email providers or send from multiple systems.
How does DKIM work?
DKIM uses a DNS TXT record that contains a public key. This record is referenced using a selector, which helps identify which key should be used. Example:
pm._domainkey.yourdomain.com IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4..."
pm is the selector
The public key is stored in DNS
The private key is used by your sending service to sign each email (and is never shared)
You can have multiple DKIM selectors and keys—one for each sending service you use. This makes it easy to rotate or remove keys without affecting others.
DKIM as part of your email authentication setup
To fully protect your domain and ensure high deliverability, DKIM works together with:
Method | Purpose |
|---|---|
SPF | Defines which servers are allowed to send emails for your domain |
DKIM | Confirms that the message is genuine and unaltered |
DMARC | Enforces policies and reports abuse attempts |
For the best results, make sure all three are properly enabled.
