What Is DKIM (DomainKeys Identified Mail)?
DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows a sending domain to digitally sign outgoing messages, enabling receiving servers to verify that the email was genuinely sent by the domain owner and that its content was not altered in transit. DKIM works through public-key cryptography; the sending server signs each email with a private key, and the receiving server verifies the signature using a public key published in the domain's DNS records.
When a DKIM-signed email is sent, the sending server generates a cryptographic hash of specified email headers and body content, then encrypts that hash with the domain's private key. This encrypted hash (the DKIM signature) is added to the email as a header. When the receiving server processes the email, it retrieves the public key from the sender's DNS (found at a selector-specific subdomain like s1._domainkey.yourdomain.com), decrypts the signature, and compares the result against its own hash of the received message. If they match, DKIM passes, proving both authenticity and integrity.
DKIM is critical for B2B email deliverability because it provides a verifiable chain of trust. Google, Microsoft, and other major email providers heavily weight DKIM results in their spam filtering algorithms. An email that passes DKIM verification carries a trust signal that says the domain owner actually sent it and no one tampered with it between sending and delivery. For cold outreach, where you have no prior relationship with the recipient, this trust signal can make the difference between inbox placement and the spam folder.
Key DKIM considerations include key length (2048-bit keys are now the standard, replacing older 1024-bit keys), key rotation (security best practice is to rotate keys every 6-12 months), and selector management (each email service provider typically uses its own DKIM selector). When using multiple sending services (a common scenario for outbound teams using separate platforms for warmup, cold outreach, and transactional email) each service needs its own DKIM selector configured in DNS.
Prospect AI ensures proper DKIM alignment across all sending infrastructure as part of its email deliverability management, verifying that signatures are correctly configured for each sending domain and alerting teams when authentication issues arise.
Key takeaways
- 1
DKIM uses public-key cryptography to prove email authenticity and content integrity
- 2
Receiving servers verify DKIM signatures using public keys published in the sender's DNS records
- 3
Major email providers heavily weight DKIM verification in spam filtering decisions
- 4
Use 2048-bit keys, rotate every 6-12 months, and configure separate selectors for each sending service
Frequently asked questions
What is the difference between SPF and DKIM?
SPF verifies that the sending server is authorized to send for the domain (checking IP addresses). DKIM verifies that the email content has not been altered and was signed by the domain owner (using cryptographic signatures). Both are necessary; SPF validates the sender, DKIM validates the message.
What happens if DKIM fails?
DKIM failure means the signature could not be verified; either the content was modified in transit, the DNS key is misconfigured, or the key has been rotated without updating DNS. Failed DKIM increases the likelihood of spam classification. Combined with DMARC policy, DKIM failure can result in outright email rejection.
How do I set up DKIM for my domain?
Your email service provider (Google Workspace, Microsoft 365, or third-party sender) generates a DKIM key pair. They provide the public key as a DNS TXT record to add to your domain. The specific subdomain and record format varies by provider but typically looks like selector._domainkey.yourdomain.com. Most providers offer step-by-step setup guides.
Do I need DKIM if I already have SPF?
Yes. SPF and DKIM serve different purposes and are both required for robust email authentication. Furthermore, DMARC, which is increasingly required by Google and Yahoo, relies on alignment of either SPF or DKIM (ideally both). Running without DKIM leaves a significant gap in your authentication posture.
Related terms
Email Deliverability
Email deliverability refers to the ability of an email to successfully reach the recipient's inbox rather than being fil…
SPF Record (Sender Policy Framework)
An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send ema…
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds o…
Email Authentication
Email authentication is the collection of protocols and standards that verify the identity of an email sender and the in…
Ready to turn this into pipeline?
Prospect AI runs research, copy, and multi-channel outreach as one system, so consistent pipeline stops depending on heroics.