DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server can verify that the message wasn’t altered in transit and that it came from an authorized sender. It’s the second pillar of email authentication, after SPF.
How DKIM Works, The Simple Version
Think of it like sending a letter with a wax seal. The recipient can verify the seal isn’t broken (the message is intact) and that the seal matches your crest (you’re the legitimate sender).
DKIM does exactly that, digitally:
- On send: your mail server computes a hash of the message and encrypts it with a private key (that only you possess)
- The signature is added as a
DKIM-Signatureheader in the email - On receive: the destination server fetches your public key from DNS and decrypts the signature
- Verification: if the recomputed hash matches, the message is authentic and unaltered
Anatomy of a DKIM-Signature Header
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector1;
c=relaxed/relaxed; q=dns/txt; t=1711234567;
h=from:to:subject:date:message-id;
bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk...
| Tag | Meaning |
|---|---|
v=1 | DKIM version |
a=rsa-sha256 | Signing algorithm (RSA + SHA-256) |
d= | Signing domain, this must align with From: for DMARC |
s= | Selector, identifies which public key to use |
c=relaxed/relaxed | Canonicalization: how to normalize the message before hashing |
h= | List of signed headers |
bh= | Body hash |
b= | The signature itself |
Canonicalization: simple vs relaxed
- Simple: the message must be byte-for-byte identical. A single space added by a relay breaks the signature.
- Relaxed: tolerates minor variations (whitespace, line breaks, header casing). This is the recommended choice.
The DKIM DNS Record
The public key is published as a TXT record at:
selector1._domainkey.yourdomain.com
The content looks like:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
| Tag | Purpose |
|---|---|
v=DKIM1 | Version |
k=rsa | Key type (RSA or Ed25519) |
p= | Base64-encoded public key |
t=s | (optional) Strict mode, d= domain must match exactly |
RSA vs Ed25519
- RSA 2048-bit: the current standard, supported everywhere
- Ed25519: more compact and faster, but support isn’t universal yet (Gmail supports it, others don’t)
Recommendation: use RSA 2048 for compatibility, or publish both in parallel with different selectors.
Step-by-Step Setup
1. Generate a Key Pair
Most services (Google Workspace, Microsoft 365, Brevo, etc.) generate keys for you. For a self-managed server:
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem
2. Publish the Public Key in DNS
Create a TXT record for selector._domainkey.yourdomain.com with the public key content.
Note: TXT records are limited to 255 characters per string. For a 2048-bit RSA key, split it into multiple strings:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMII"
"BCgKCAQEA..."
3. Configure Signing on Your Server
- Postfix: use OpenDKIM (
opendkim) - Google Workspace: Admin Console → Apps → Gmail → Authenticate email
- Microsoft 365: Defender portal → Email authentication → DKIM
4. Test
Send a test email and check the headers. You should see:
Authentication-Results: mx.google.com;
dkim=pass header.d=yourdomain.com header.s=selector1
Use the DKIM Checker to verify your DNS record, or the Header Analyzer to inspect a received email.
Key Rotation
DKIM keys should be rotated regularly (every 6 to 12 months):
- Generate a new key pair with a new selector (e.g.,
selector2) - Publish the new public key in DNS
- Wait for DNS propagation (a few hours)
- Configure your server to sign with the new selector
- Keep the old DNS record active for a few days (for emails in transit)
- Remove the old record
DKIM and DMARC
For DKIM to contribute to DMARC, the d= domain in the DKIM signature must align with the From: domain.
This is particularly important when using third-party services. Many offer a “DKIM with your domain” option, always enable it.
Pro tip: DKIM survives forwarding (unlike SPF). It’s often DKIM alone that saves the day when an email is forwarded by a third party.
Common Mistakes
- Key too short: 1024-bit keys are considered weak. Move to 2048-bit.
- Selector not found: verify the DNS record is published at the right location (
selector._domainkey.domain) - Truncated record: the public key must be complete. A botched copy-paste = invalid signature.
- Not signing with your own domain when using a third-party service → DMARC alignment fails
- Forgetting rotation: a compromised key allows signing fraudulent emails
Check Your Configuration
Run a free audit to instantly see if your DKIM is properly configured, along with your SPF and DMARC.
Free tools:
- DKIM Checker, verify your DNS record
- Header Analyzer, inspect a received email’s signature
- SPF Checker
- DMARC Checker
Questions? Join us on Matrix.