DKIM (DomainKeys Identified Mail), defined in RFC 6376, attaches a cryptographic signature to outgoing email using a private key held by the sending mail server. Receiving servers fetch the matching public key from a DNS TXT Record under a selector like selector1._domainkey.example.com and verify that the signed headers and body have not been altered in transit.
Why it matters
DKIM proves that a message claiming to come from your domain was actually authorised by your infrastructure and was not tampered with on the way. It is a core input to DMARC, which lets receivers reject or quarantine spoofed mail. Together with SPF, DKIM is what gets your transactional and marketing email past inbox filters at Gmail, Outlook, and Apple Mail.
How to check
- Generate a key pair with at least 2048 bits — 1024-bit keys are increasingly flagged as weak.
- Publish the public key in a TXT record at
<selector>._domainkey.example.comand configure your mail platform to sign with the matching private key. - Use distinct selectors per service (transactional, newsletters, support) so you can rotate one without breaking the others.
- Rotate keys at least once a year and remove old selectors after grace periods.
- Send a test message to a checker like
check-auth@verifier.port25.comand confirmdkim=pass. - Layer with SPF, DMARC, and DNSSEC for end-to-end mail authentication.