Back to Glossary
Authentication

DKIM(DomainKeys Identified Mail)

An email authentication method that uses cryptographic signatures to verify email integrity.

Definition

DKIM (DomainKeys Identified Mail) is an email authentication standard that uses public-key cryptography to verify that an email was sent by an authorized sender and was not modified in transit. The sending server signs the email with a private key, and the receiving server uses the public key (published in DNS) to verify the signature. Think of it as a tamper-proof seal on your emails.

Why It Matters

DKIM provides a way to prove email authenticity and integrity. Emails with valid DKIM signatures are more trusted by receiving servers and less likely to land in spam. DKIM also enables DMARC alignment, which is increasingly required for good deliverability. Without DKIM, anyone could forge emails claiming to be from your domain.

How It Works

When you send an email, your mail server creates a hash of specified headers and body content, encrypts it with your private key, and adds this signature to the email headers as 'DKIM-Signature'. The receiving server retrieves your public key from DNS using the selector in the signature, decrypts the hash, and compares it to a newly computed hash. A match confirms the email is authentic and was not modified after signing.

Example

When Sequenzy sends a newsletter for example.com, it adds a DKIM-Signature header:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=seq1; h=from:to:subject:date; bh=abc123...; b=xyz789...

Breaking it down: - d=example.com shows which domain signed the email - s=seq1 is the selector (identifies which key to use) - b= is the actual cryptographic signature

When Gmail receives this email, it looks up seq1._domainkey.example.com in DNS, finds the public key, and uses it to verify the signature. If someone modified the email in transit, the verification would fail.

Best Practices

  • 1Use a 2048-bit key or larger for security (1024-bit is considered weak)
  • 2Rotate DKIM keys periodically (every 6-12 months) for security
  • 3Set up DKIM for all domains and subdomains you send from
  • 4Monitor DKIM signing success in your email platform dashboard
  • 5Test your DKIM setup with tools like mail-tester.com before sending

Automatic DKIM Signing

Sequenzy automatically signs all your emails with DKIM. Just add our DNS records to your domain.

Learn More

Frequently Asked Questions

Your email provider generates a DKIM key pair. You add the public key as a TXT record in your DNS (usually at selector._domainkey.yourdomain.com). The provider handles signing with the private key automatically. The record looks like a long string starting with 'v=DKIM1; k=rsa; p=...'.

A DKIM selector is a name that identifies a specific DKIM key. It allows you to have multiple DKIM keys for different services (like 'google' for Google Workspace and 'seq1' for Sequenzy) or for key rotation. The selector appears in the DKIM-Signature header and tells receivers which DNS record to check.

Common DKIM failures include: DNS record not found (incorrect selector or domain), key mismatch (wrong public key in DNS), email modification in transit (some forwarding services break DKIM by changing headers), or the key being too short. Check your DNS records and run a DKIM validator.