DKIM (DomainKeys Identified Mail) is a cryptographic signature proving a message truly originated from your domain and was not altered in transit. Without DKIM Gmail/Yandex throttle delivery. Process: generate RSA-2048 key pair → publish the public key as a selector._domainkey.example.com TXT record → enable signing in the mail server.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — SPF/DKIM/DMARC checker: instant results, no signup.
openssl genrsa -out dkim.private 2048 && openssl rsa -in dkim.private -pubout -out dkim.publicmail._domainkey (where mail is the selector), value v=DKIM1; k=rsa; p=PUBLIC_KEYDKIM-Signature header at the recipientcheck-auth@verifier.port25.com| Scenario | Config / Record |
|---|---|
| Google Workspace | Admin console → Apps → Gmail → Authenticate email → Generate new record (selector = google) |
| Yandex360 | Domain admin → Mail → DKIM. Selector = mail |
| Mailgun | TXT imported from Mailgun dashboard (selector = mx) |
| Postfix + OpenDKIM | opendkim-genkey -s mail -d example.com → copy mail.txt into DNS |
| SendGrid | DKIM host: s1._domainkey + s2._domainkey (2 records) |
To set up DKIM email signing, generate a DKIM key pair using a tool like OpenSSL, then publish the public key as a TXT record in your DNS settings. Configure your mail server (e.g., Postfix, Exim) to use the private key for signing outgoing emails. This process enhances email deliverability and mitigates spoofing, crucial for businesses operating in the US and EU.
DomainKeys Identified Mail (DKIM) is an email authentication method that allows senders to digitally sign their emails, ensuring that the content has not been altered in transit. By implementing DKIM, organizations can protect their email domain from spoofing and phishing attacks, thus enhancing their sender reputation and email deliverability rates.
In the context of the EU's General Data Protection Regulation (GDPR) and the CAN-SPAM Act in the US, maintaining a secure email infrastructure is not just a best practice; it's a regulatory requirement. Failing to authenticate emails can lead to significant legal and reputational consequences.
DKIM uses a combination of public and private keys to sign emails. The sender's mail server generates a hash of the email content and a unique identifier. This hash is then encrypted using the sender’s private key and added to the email header. The recipient’s mail server retrieves the public key from the DNS records to verify the signature.
For example, the DKIM-Signature header might look like this:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=default; c=relaxed/simple; h=from:to:subject:date; bh=xyz123...; b=abc456...In the above example, d=example.com indicates the signing domain, while s=default specifies the selector used to locate the public key in DNS.
DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.
Specify domain and DKIM selector — get the public key and its parameters.
RSA/Ed25519 key length, hash algorithm, flags, and validity period.
If key < 2048 bits — we issue a warning and key rotation instructions.
Direct DNS query in seconds — no waiting for TTL.
pre-send verification
mail server setup
phishing protection audit
email deliverability debug
DKIM check history and DNS monitoring for domain record changes.
Sign up freeYes. DMARC requires SPF OR DKIM to align. When the domain sends via a forwarder SPF often breaks while DKIM survives. Configure both.
A label that lets you run multiple DKIM keys in parallel (e.g. one for marketing, one for transactional). DNS record name is <code>selector._domainkey.domain</code>.
Read the <code>DKIM-Signature: d=sender.com; s=selector</code> header. Or use <a href="/en/dkim">Enterno DKIM Checker</a>.
Yes. Each service (Mailgun, SendGrid, your SMTP) can use its own selector. That is normal.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.