DKIM
DKIM is a cryptographic signature attached to every outbound message that proves the email really came from your domain and was not altered in transit.
- DomainKeys Identified Mail
- Email authentication · DNS
- Sending any volume to Gmail, Yahoo, or Outlook in 2024+
- You own a domain and send marketing, transactional, or cold mail
What it is
DKIM is an email authentication standard defined in RFC 6376. It lets the owner of a domain attach a digital signature to every message they send. The receiving server can verify that signature against a public key published in DNS — and from that single check it learns two things: the message really did originate from a server authorized by the domain owner, and the headers and body it cares about were not modified anywhere along the way.
Without DKIM, your mail is essentially an unsigned postcard. With it, the envelope is sealed with a tamper-evident stamp that any mailbox provider on earth can verify in milliseconds.
How it works
When you send an email, your sending platform (Google Workspace, SES, Postmark, your own MTA) computes a hash of selected headers and the body, encrypts that hash with a private key it holds, and attaches the result as a DKIM-Signature header. The signature includes a selector — a short label that tells receivers which DNS record to fetch — and the domain. The receiving server queries DNS for <selector>._domainkey.<your-domain>, retrieves the matching public key, and verifies the signature.
; Example DKIM TXT record at selector "ns1._domainkey.example.com"
ns1._domainkey IN TXT ( "v=DKIM1; k=rsa; t=s; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGmH..."
"...IDAQAB" )Two parameters in that record matter most. k=rsa declares the key algorithm and p= is the base64-encoded public key itself. Best practice in 2026 is a 2048-bit RSA key, rotated annually with overlapping selectors so verifying servers never see a gap.
Why it matters
DKIM is the foundation that DMARC depends on. Without an aligned DKIM signature, DMARC cannot pass — and without DMARC, Gmail and Yahoo will throttle or outright reject any sender shipping more than 5,000 messages per day to their users under the rules they began enforcing in February 2024.
DKIM also carries reputation. Mailbox providers track the historical behaviour of mail signed by a given d= domain. That reputation is portable: it follows the signing identity even if you rotate IPs or move ESPs. This is exactly why warmup is worth doing — the engagement you build accumulates against your DKIM identity, not the random IP you happen to be on.
Related
- SPF — the other half of authentication
- DMARC — the policy that ties SPF and DKIM together
- Sender reputation — the score DKIM accumulates against
- Why cold emails go to spam
- How NeverSpam warms a DKIM-signed identity