DKIM (DomainKeys Identified Mail) is a cryptographic signature added to email by the sender. The public key is published in DNS (selector._domainkey.example.com); the private key signs the message body. The recipient verifies the signature, guaranteeing the message was not modified in transit and truly came from the claimed domain.
Free online tool — SPF/DKIM/DMARC checker: instant results, no signup.
DKIM (DomainKeys Identified Mail) is a cryptographic signature added to email by the sender. The public key is published in DNS (selector._domainkey.example.com); the private key signs the message body. The recipient verifies the signature, guaranteeing the message was not modified in transit and truly came from the claimed domain.
DKIM (DomainKeys Identified Mail) employs a combination of public and private key cryptography to provide email authentication. The process begins when the sender's mail server generates a unique DKIM signature for each outgoing email. This signature is created by hashing the email's headers and body, and then encrypting that hash with the sender's private key.
Here’s how the entire process unfolds:
selector._domainkey.example.com.Upon receiving the email, the recipient's mail server retrieves the public key from the DNS, decrypts the DKIM signature, and compares the resulting hash to the hash of the received email. If they match, the email is verified as authentic and unaltered.
Implementing DKIM involves several steps, including generating keys, creating DNS records, and configuring your mail server. Below are practical steps to set up DKIM:
openssl genrsa -out private.key 1024openssl rsa -in private.key -pubout -out public.keyselector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HERE"milter_default_action = acceptsmtpd_milters = inet:localhost:8891non_smtpd_milters = inet:localhost:8891Ensure you replace localhost:8891 with the appropriate address and port of your DKIM signing service.
While DKIM is a robust email authentication method, users may encounter various issues during setup or operation. Here are some common problems and their solutions:
dig to check if your DKIM record is visible:dig TXT selector._domainkey.example.comWait a few hours and recheck if necessary.
By addressing these common issues, you can ensure your DKIM implementation functions correctly, enhancing your email deliverability and security.
DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.
Specify domain and DKIM selector — get the public key and its parameters.
RSA/Ed25519 key length, hash algorithm, flags, and validity period.
If key < 2048 bits — we issue a warning and key rotation instructions.
Direct DNS query in seconds — no waiting for TTL.
pre-send verification
mail server setup
phishing protection audit
email deliverability debug
DKIM check history and DNS monitoring for domain record changes.
Sign up freeIf you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.