What is DKIM?
DomainKeys Identified Mail (DKIM) is an email authentication method that adds a digital signature to every outgoing message. The signature is generated using a private key held by your mail server, and verified by receiving mail servers using a corresponding public key published in your DNS.
When a recipient's server checks the DKIM signature and it matches, it proves two things:
- The email actually came from your domain's authorised sending infrastructure.
- The message content was not altered in transit.
DKIM is a required building block for DMARC alignment. Without DKIM (or SPF), DMARC has nothing to align against.
What to do
Step 1 — Generate a key pair
Most hosted email providers (Google Workspace, Microsoft 365, etc.) handle DKIM key generation internally and give you the DNS value to publish. For self-hosted mail servers you generate the key pair yourself:
opendkim-genkey -t -s mail -d yourdomain.com
This produces:
- mail.private — the private key, kept on your mail server
- mail.txt — the TXT record value to publish in DNS
Step 2 — Publish the public key in DNS
Publish a TXT record at the selector subdomain. The standard format is:
<selector>._domainkey.yourdomain.com
The selector is a label you choose (e.g. mail, google, s1). Your DNS record value looks like:
v=DKIM1; k=rsa; p=MIGfMA0GCSq...base64-encoded-public-key...
Common selectors by provider:
| Provider | Selector |
|---|---|
| Google Workspace | google |
| Microsoft 365 | selector1, selector2 |
| Mailchimp | k1 |
| SendGrid | s1, s2 |
Step 3 — Enable signing on your mail server
Configure your mail server or email provider to sign outgoing messages with the private key. In Google Workspace this is a toggle in Admin → Apps → Google Workspace → Gmail → Authenticate email. In self-hosted Postfix/OpenDKIM setups, add the signing configuration to /etc/opendkim.conf.
Step 4 — Verify
After DNS propagation, send a test email and check the headers for a DKIM-Signature field. Use a tool like MXToolbox DKIM checker or mail-tester.com to confirm the signature validates.
Key rotation
DKIM keys should be rotated periodically (at least once a year). Use multiple selectors so you can publish a new key (selector2) before decommissioning the old one (selector1), giving you a transition period without delivery failures.
Common mistakes
- Publishing the key but not enabling signing — The DNS record exists but outgoing mail carries no signature. Check your mail server configuration, not just DNS.
- Key too short — 1024-bit keys are now considered weak. Use 2048-bit minimum.
- Forgetting forwarded mail — Email forwarding often breaks DKIM signatures because the forwarding server may modify the message. This is expected; DMARC alignment via SPF can compensate.
Last updated: March 28, 2026