What Is DKIM? Explained in Plain English

Par /



What Is DKIM? Explained in Plain English | Mail Fortifier

Jump to:

What Is DKIM?

DKIM stands for DomainKeys Identified Mail. It’s an email authentication method. DKIM lets the receiver check that an email claimed to come from a specific domain was really authorized by the owner of that domain. It does this by adding a digital signature to the email header. This signature is linked to a public key in your DNS records. If the signature matches, the email is likely genuine.

How DKIM Works

When your mail server sends an email, it creates a unique digital signature using a private key. This signature is added to the email’s header. The receiving server looks up your public key in DNS. If it can verify the signature using that key, the email passes DKIM. If not, it fails.

  • Private key: Stays safe on your mail server. Used to sign outgoing emails.
  • Public key: Published in your DNS. Used by others to check your signature.
  • Signature: Proves your email hasn’t been tampered with in transit.

Think of DKIM as a tamper-evident seal. If someone changes the contents, the seal breaks, and the receiver knows something’s wrong.

Why DKIM Matters

  • Protects your brand: Stops attackers from sending fake emails that look like they’re from you.
  • Boosts deliverability: Emails with valid DKIM signatures are less likely to land in spam.
  • Builds trust: Recipients and ISPs know your messages are authentic.

DKIM is a core part of modern email security. Most major providers-including Gmail and Outlook-check DKIM on incoming mail. Without DKIM, your messages are more likely to be flagged or rejected.

DKIM vs SPF vs DMARC

FeatureDKIMSPFDMARC
What it doesVerifies sender’s identity using digital signaturesChecks sending server’s IP addressSets policy for handling failed SPF/DKIM
Where it livesDNS TXT record (public key)DNS TXT record (allowed IPs)DNS TXT record (policy)
What it protectsEmail content and senderSender’s domainBoth, plus reporting

For the best protection, use all three. Our deliverability audit checks your DKIM, SPF, and DMARC setup.

How to Set Up DKIM

  1. Generate a DKIM key pair (private and public keys). Most mail platforms like Microsoft 365, Google Workspace, and cPanel have built-in tools for this.
  2. Publish the public key in your DNS as a TXT record. The record name usually looks like selector._domainkey.yourdomain.com.
  3. Configure your mail server to sign outgoing emails with the private key.
  4. Test your DKIM setup using tools like DKIMValidator ou EasyDMARC DKIM Lookup.

If you use a third-party sender (like Mailchimp or SendGrid), set up DKIM in their dashboard and add the records they provide to your DNS.

DKIM Troubleshooting

DKIM issues are common, but most are easy to fix:

  • Signature fails: Check for typos in your DNS record. Make sure the public key is published exactly as generated.
  • Selector not found: Confirm you’re using the correct selector in your DNS and mail server settings.
  • DNS not updated: DNS changes can take time. Wait for DNS to propagate, or use a DNS checker to confirm the record is live.
  • Body hash mismatch: Some mail systems modify emails after signing (adding footers, tracking, etc.). Use “relaxed” canonicalization to reduce false fails.
  • Multiple DKIM records: If you use several services, each may need its own selector and DNS record.

For persistent issues or complex setups, a complete email deliverability audit can help spot hidden problems.

Best Practices

  • Use at least 2048-bit keys for new DKIM records.
  • Rotate DKIM keys every 6-12 months, or immediately if you suspect a compromise.
  • Keep your private key secure-never share it or store it in public code repositories.
  • Monitor DMARC reports to spot DKIM failures early.
  • Test after every change with a reliable DKIM checker.

For more, see our Email Authentication Best Practices guide.

FAQs

Does DKIM stop all spoofing?
No. DKIM is just one layer. Use SPF and DMARC for full protection.
What is a DKIM selector?
A selector is a label that lets you use multiple DKIM keys for one domain. Each service or server can have its own selector.
How do I check if my DKIM is working?
Send an email to a Gmail or Outlook account, then view the message headers. Look for “DKIM=pass”. Or use DKIMValidator.
Can I use DKIM with Gmail or Microsoft 365?
Yes. Both support DKIM. See Google’s DKIM guide and Microsoft’s DKIM guide.
What happens if DKIM fails?
It depends on the recipient’s policy. With DMARC, failed DKIM can lead to rejection or quarantine.
How long does it take for DKIM DNS records to update?
Usually within a few hours, but it can take up to 48 hours depending on DNS TTL.
Should I use multiple selectors?
Yes, if you use more than one email service or want to rotate keys smoothly.
What key length should I use?
2048 bits is the minimum recommended. Avoid 1024-bit keys-they’re considered weak.
Can DKIM break if I forward emails?
Yes. Some forwarding can break DKIM signatures. DMARC helps by allowing either DKIM or SPF to pass.
Do I need to pay for DKIM?
No. DKIM is free to set up, but some hosted email platforms may charge for advanced features.
Is DKIM required by law?
Not usually, but some sectors (like finance) may require it for compliance.
How do I rotate DKIM keys?
Add a new selector and DNS record, update your mail server, then remove the old record after all mail is signed with the new key.
What tools can I use to check DKIM?
Try DKIMValidator, EasyDMARC, or MXToolbox DKIM Lookup.
What if I use a third-party sender?
Set up DKIM in their dashboard, then add their DNS records to your domain.
Can DKIM be used with subdomains?
Yes. Each subdomain can have its own DKIM record and selector.
Does DKIM protect attachments?
Yes. DKIM signs the entire message, including attachments.
What is “canonicalization” in DKIM?
It’s how DKIM handles changes in emails during transit. “Relaxed” mode is more forgiving and usually preferred.
Can I use DKIM with mailing lists?
Mailing lists often break DKIM signatures by modifying emails. Use “relaxed” canonicalization and DMARC’s “p=none” policy to monitor.
Does DKIM affect email speed?
No. DKIM signing and verification happen in milliseconds.
What if my DKIM record is too long?
Split the record into quoted strings in DNS. Most DNS providers support this.
How do I remove an old DKIM record?
Delete the TXT record from DNS after you’ve confirmed all mail uses the new selector.
What if I lose my private key?
Generate a new key pair, update your mail server and DNS, and remove the old record.
Where can I get help?
Try our Audit complet de délivrabilité des e-mails for expert help.

For more on email security, see our Email Security Checklist.






 

For more on email security, see our Email Security Checklist.

Laisser un commentaire

Français
English (UK) Français
Retour en haut