What Is DKIM (DomainKeys Identified Mail)?

Q: How does DKIM signing work?

The sending mail server generates a hash of specific email headers and the message body, then encrypts this hash using a private key. The encrypted hash (signature) is added to the email's DKIM-Signature header. The receiving server retrieves the public key from DNS and decrypts the signature to verify the hash matches.

Q: Does DKIM encrypt the email content?

No. DKIM does not encrypt the email content. It only signs it to verify integrity. Anyone can still read the email in transit. For encryption, you need TLS (transport-level) or S/MIME/PGP (end-to-end).

DKIM is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorized server and that its content has not been altered in transit.

How DKIM Works

DKIM uses public-key cryptography. The sending mail server signs outgoing emails with a private key, producing a digital signature that is added to the email's DKIM-Signature header. The corresponding public key is published as a DNS TXT record at selector._domainkey.yourdomain.com.

When the receiving server gets the email, it retrieves the public key from DNS and uses it to verify the signature. If the signature is valid, the server knows the message was sent by someone with access to the private key and that the content was not modified after signing.

Why DKIM Matters

DKIM provides message integrity verification, which SPF cannot do. While SPF verifies the sending server, DKIM verifies the message itself. This is especially important because DKIM signatures survive email forwarding — unlike SPF, which breaks when emails pass through intermediary servers. DKIM is also required for DMARC alignment.

DKIM Selectors

A DKIM selector is a string that identifies which public key to use for verification. This allows a domain to have multiple DKIM keys — for example, one for Google Workspace, another for a marketing platform. The selector is included in the DKIM-Signature header and is used to locate the correct DNS record.

Frequently Asked Questions

How does DKIM signing work?

The sending server generates a hash of specific email headers and the body, then encrypts this hash using a private key. The signature is added to the DKIM-Signature header. The receiving server retrieves the public key from DNS and verifies the hash matches.

Does DKIM encrypt the email content?

No. DKIM does not encrypt emails — it only signs them to verify integrity. For encryption, you need TLS at the transport level or S/MIME and PGP for end-to-end encryption.

What is a DKIM selector?

A DKIM selector is a string used to locate the correct public key in DNS. It allows a domain to publish multiple DKIM keys for different email services. The record is found at selector._domainkey.yourdomain.com.

How DKIM Works

Why DKIM Matters

DKIM Selectors

Frequently Asked Questions

How does DKIM signing work?

Does DKIM encrypt the email content?

No. DKIM does not encrypt emails — it only signs them to verify integrity. For encryption, you need TLS at the transport level or S/MIME and PGP for end-to-end encryption.

What is a DKIM selector?