DKIM (DomainKeys Identified Mail) is an email authentication standard, defined in RFC 6376, that uses public-key cryptography to verify that a message was authorized by the owner of the sending domain and was not altered in transit. The sending server signs each outbound email with a private key; receivers fetch the matching public key from the sender's DNS and verify the signature. Without DKIM, modern mailbox providers treat your email as unauthenticated and either route it to spam or reject it outright.
How does DKIM actually work?
Three steps. First, the sender publishes a public key as a TXT record in their domain's DNS, typically at selector._domainkey.yourdomain.com (the selector is a label that lets you rotate keys without downtime). Second, when the sending server transmits an email, it generates a cryptographic hash of the headers and body, signs the hash with the corresponding private key, and attaches the signature as a DKIM-Signature header. Third, the receiving server reads the header, looks up the public key in DNS, and verifies the signature matches.
If the signature verifies, the receiver gains a strong cryptographic guarantee that the email came from someone with control of the sending domain's DNS and that the content was not tampered with after signing. If the signature fails, the receiver typically treats the message as suspicious. DMARC sits on top of DKIM (and SPF) and tells the receiver what to do when authentication fails.
How do you set up DKIM correctly?
Your email provider (Google Workspace, Microsoft 365, SendGrid, Mailgun, etc.) generates the key pair. You publish the public key as a DNS TXT record at the selector path they specify. The private key stays on the sending server; never expose it. Use a 2048-bit RSA key (1024-bit is now considered weak by many receivers). Rotate keys at least annually by adding a new selector before retiring the old one. Verify the setup with dig, nslookup, or a free DKIM check tool. ReachIQ Email Health validates DKIM on every sender mailbox automatically and alerts before reputation degrades.
Related questions
What's the difference between DKIM and SPF?
SPF authorizes which IPs can send for your domain. DKIM proves the message itself was not altered and was signed by your domain. Both are needed because they answer different questions. DMARC ties them together with a policy.
What does a DKIM failure look like?
In email headers, you'll see dkim=fail or dkim=permerror. Common causes: missing DNS record, wrong selector, key longer than DNS can return in one TXT record (a 2048-bit key sometimes needs to be split), or content modification by a forwarding mail server. Most DKIM failures trace back to DNS misconfiguration.
Is DKIM enough by itself?
No. DKIM is necessary but not sufficient. Modern inbox providers (Gmail, Yahoo) now require senders pushing more than 5,000 emails per day to also implement SPF, DMARC, and one-click unsubscribe. DKIM alone will not get you to the inbox in 2026.