My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. DKIM Fundamentals

DKIM Fundamentals

2 mins read

DMARC is the standard for protecting your domain against spoofing and phishing, but it doesn’t work alone. It relies on two building blocks: SPF and DKIM.

This article focuses on DKIM (Domain Keys Identified Mail)—the second vital part of DMARC.

What DKIM actually does (in plain English)
DKIM is all about proving that an email’s content hasn’t been tampered with and really came from your domain.

It works by attaching a digital signature to every outgoing email. This signature is created using a private key that only your domain controls. The receiving server then checks that signature against the public key you’ve published in DNS.

  • If the signature is valid → DKIM passes.
  • If not → DKIM fails.

Key idea: DKIM = you digitally signing your email so others know it’s authentic.

Where DKIM lives
DKIM relies on a public/private key pair:

The private key is stored securely on your mail server or email platform.

The public key is published in your DNS as a TXT record, under a special name (the “selector”).

What goes in a DKIM record
A DKIM DNS record usually looks like this:

Name (Host):
selector1._domainkey.example.com

Value (TXT record):
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQE…

selector1 → A label to identify which DKIM key is being used.
v=DKIM1 → States this is a DKIM record.
p= → The public key itself (a long string of characters).

How DKIM works step by step

Your mail server generates a unique digital signature using the private key.
That signature is added to the email header.
The receiving server looks up your public key in DNS (using the selector).
It validates the signature against your key.
If they match, the message is verified.

Quick setup checklist

  • Enable DKIM in your email platform (Microsoft 365, Google Workspace, or your mail server).
  • Generate the DNS record they provide (selector + public key).
  • Publish the TXT record in your domain’s DNS.
  • Test your setup by sending a message to a tool that checks for DKIM.

Common pitfalls (and how to avoid them)

  • Not publishing the DNS record → DKIM won’t work until the public key is visible.
  • Wrong selector → If your email platform gives you selector1, use it exactly as provided.
  • Expired or rotated keys → Some providers rotate DKIM keys; always update DNS if they do.
  • Forgetting subdomains → If you send mail from subdomains, make sure DKIM is enabled for them too.

DKIM is your way of digitally signing every email your domain sends. By publishing your public key in DNS and letting your mail server sign with the private key, you give DMARC the ability to confirm that your messages are authentic and untampered.

SPF tells the world who is allowed to send.
DKIM proves what you sent is legitimate.
Together, they power DMARC.

Check your DKIM Record’s here
Access denied
Access denied