What is DKIM?

Why DKIM Matters

• Ensures authenticity → proves the email wasn’t modified in transit.
• Builds trust with ISPs → Gmail, Outlook, and Yahoo strongly rely on DKIM.
• Improves deliverability → signed emails are less likely to go to spam.
• Required for DMARC → DMARC policies only work when SPF or DKIM are properly configured.

How DKIM Works (Step by Step)

1. Your mail server generates a private key and uses it to sign outgoing emails.
2. You publish the corresponding public key in your DNS as a TXT record.
3. When the recipient’s server gets the email, it: 

Example DKIM Record

default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

• This is the selector + domain used for DKIM.
• default → the selector (you can have multiple selectors, e.g. for rotating keys).
• _domainkey → required label that indicates this is a DKIM record.
• example.com → your domain name.

• Means this is a TXT record in DNS.
• DKIM uses TXT records to publish the public key.

• This is the value of the record, containing the DKIM settings:
• v=DKIM1 → version (always DKIM1).
• k=rsa → key type (RSA is the most common).
• p=... → the public key itself, base64 encoded. This is what receiving mail servers use to verify the signature in your emails.

Common Mistakes with DKIM

• Forgetting to add the DNS record for your DKIM selector.
• Using expired or mismatched keys.
• Not rotating keys → old keys can be compromised.
• Sending emails via a third-party service without enabling DKIM signing.

🥋 Sensei Tip 

DKIM is like putting your signature on every letter you send. Without it, anyone can forge your name. With it, your recipients know for sure it’s really you and that nothing was changed along the way.