Skip to content

DKIM: Definition and Use Cases

TL;DR:

DKIM (DomainKeys Identified Mail) is a cryptographic signature added to email by the sender. The public key is published in DNS (selector._domainkey.example.com); the private key signs the message body. The recipient verifies the signature, guaranteeing the message was not modified in transit and truly came from the claimed domain.

Check your site →

What is DKIM

DKIM (DomainKeys Identified Mail) is a cryptographic signature added to email by the sender. The public key is published in DNS (selector._domainkey.example.com); the private key signs the message body. The recipient verifies the signature, guaranteeing the message was not modified in transit and truly came from the claimed domain.

Check DKIM online

Open Enterno.io tool →

How DKIM Works: The Technical Breakdown

DKIM (DomainKeys Identified Mail) employs a combination of public and private key cryptography to provide email authentication. The process begins when the sender's mail server generates a unique DKIM signature for each outgoing email. This signature is created by hashing the email's headers and body, and then encrypting that hash with the sender's private key.

Here’s how the entire process unfolds:

  • Email Creation: The sender composes an email and the mail server prepares to send it.
  • Hash Generation: The server creates a hash of the email’s headers and body using a secure hashing algorithm like SHA-256.
  • Signature Creation: The hash is then encrypted using the sender's private key, producing the DKIM signature.
  • DNS Record: The public key corresponding to the private key is published in the sender's DNS records, typically under the format selector._domainkey.example.com.
  • Email Transmission: The signed email is sent to the recipient.

Upon receiving the email, the recipient's mail server retrieves the public key from the DNS, decrypts the DKIM signature, and compares the resulting hash to the hash of the received email. If they match, the email is verified as authentic and unaltered.

Setting Up DKIM: Practical Steps and Commands

Implementing DKIM involves several steps, including generating keys, creating DNS records, and configuring your mail server. Below are practical steps to set up DKIM:

  1. Generate DKIM Keys: You can use tools like OpenSSL to generate your DKIM keys. Run the following commands:
openssl genrsa -out private.key 1024openssl rsa -in private.key -pubout -out public.key
  1. Create a DKIM DNS Record: You need to create a TXT record in your DNS settings. The record should look something like this:
selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HERE"
  1. Configure Your Mail Server: Depending on your mail server (Postfix, Sendmail, etc.), you will need to configure it to use the private key for signing outgoing emails. For example, in Postfix, you can use the following configuration:
milter_default_action = acceptsmtpd_milters = inet:localhost:8891non_smtpd_milters = inet:localhost:8891

Ensure you replace localhost:8891 with the appropriate address and port of your DKIM signing service.

  1. Test Your DKIM Setup: You can use tools like MXToolbox DKIM Lookup to verify that your DKIM is set up correctly. Send a test email to yourself and check the headers to see if the DKIM signature is present and valid.

Common DKIM Issues and Troubleshooting

While DKIM is a robust email authentication method, users may encounter various issues during setup or operation. Here are some common problems and their solutions:

  • DKIM Signature Missing: If the DKIM signature is not present in the email headers, ensure that your mail server is configured correctly to sign outgoing messages. Check your mail logs for errors related to DKIM signing.
  • Verification Failures: If the recipient's server reports that the DKIM verification failed, ensure that the public key published in your DNS matches the private key used for signing. Any discrepancies will cause verification to fail.
  • DNS Propagation Issues: After updating DNS records, it may take time for changes to propagate. Use tools like dig to check if your DKIM record is visible:
dig TXT selector._domainkey.example.com

Wait a few hours and recheck if necessary.

  • Key Length and Algorithm Issues: Ensure that your DKIM keys are of adequate length (2048 bits is recommended) and that you are using a supported algorithm (RSA is the most common). If using a shorter key, consider regenerating it.

By addressing these common issues, you can ensure your DKIM implementation functions correctly, enhancing your email deliverability and security.

Public KeyDKIM key in DNS TXT record
Key LengthRSA-1024, 2048, or Ed25519
Quick TestDomain + selector = result
ValidationSyntax and parameters of DKIM TXT

Why teams trust us

DKIM
signature check
SPF
SPF + DMARC audit
DNS
TXT record check
Free
no limits

How it works

1

Enter domain and selector

2

Fetch DKIM TXT record

3

Validate public key

What is DKIM?

DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.

Selector-based Check

Specify domain and DKIM selector — get the public key and its parameters.

Key Analysis

RSA/Ed25519 key length, hash algorithm, flags, and validity period.

Recommendations

If key < 2048 bits — we issue a warning and key rotation instructions.

Instant Result

Direct DNS query in seconds — no waiting for TTL.

Who uses this

Email marketers

pre-send verification

Sysadmins

mail server setup

Security

phishing protection audit

Developers

email deliverability debug

Common Mistakes

Using 1024-bit key1024 bits is considered weak. Gmail and Outlook require at least 2048 bits.
Not rotating keysSame key for years — risk of compromise. Rotate keys every 6–12 months.
Wrong selectorEach ESP uses its own selector. Ensure the correct key is in DNS for each.
Not checking after ESP changeWhen changing email service, always verify the new provider's DKIM.

Best Practices

Use 2048-bit keysThis is the current recommended minimum. Ed25519 is a more modern alternative.
Set up DMARC with DKIMWithout DMARC, even correct DKIM signing doesn't protect from Display-From spoofing.
Check after migrationWhen changing DNS provider, DKIM records are often lost. Check immediately after.
Document all selectorsKeep a list of all DKIM selectors — useful during rotation and auditing.

Get more with a free account

DKIM check history and DNS monitoring for domain record changes.

Sign up free

Learn more

Frequently Asked Questions

Do I need DKIM?

If you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.