What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication protocol that uses public-key cryptography to verify that an email message was sent by the domain in its "From" header and that the message content hasn't been tampered with in transit.
When a DKIM-enabled server sends an email, it attaches a digital signature to the message header. The receiving server retrieves the sender's public key from DNS and uses it to verify the signature. If it matches, the email is authenticated.
How DKIM Works
- The sending server generates a hash of the email headers and body.
- The hash is encrypted with the domain's private key, creating a digital signature.
- The signature is added to the email as a
DKIM-Signatureheader. - The receiving server looks up the public key via DNS (a TXT record at
selector._domainkey.example.com). - The receiving server decrypts the signature and compares it to its own hash of the email — if they match, the email passes DKIM.
Why DKIM Matters
- Anti-spoofing — Proves the email genuinely came from the claimed domain.
- Integrity — Detects if the email content was modified after sending.
- Deliverability — Emails with valid DKIM signatures are more likely to reach the inbox.
- Required for DMARC — DMARC alignment requires either SPF or DKIM to pass.
Test your email authentication with Mailchk's free Email Health Score tool — it checks SPF, DKIM, and DMARC in one test.