Suped

DKIM

What DKIM is, how cryptographic signing works, and what selectors, algorithms, and alignment mean.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails that receiving servers can verify. This proves the email hasn't been tampered with in transit and confirms the sender's identity.

How it works

  1. Your email server signs each outgoing email with a private key.
  2. The corresponding public key is published as a DNS TXT record at selector._domainkey.yourdomain.com.
  3. The receiving server looks up the public key using the selector from the email's DKIM header and verifies the signature.

Key components

Selector

An identifier for the key pair (e.g. google, s1, dkim). A domain can have multiple selectors for different sending sources. Each sending service typically uses its own selector.

Algorithm

RSA with SHA-256 hashing is the recommended algorithm. Minimum key length is 2048 bits - shorter keys (e.g. 1024-bit) are considered weak and may not be trusted by receivers.

The d= tag

The signing domain in the DKIM-Signature header. This is the domain that claims responsibility for the email. It must align with the From header domain for DMARC to pass on DKIM.

The t=y flag

Testing mode. When set, receiving servers may not enforce DKIM failures. Remove this flag after confirming that signing works correctly.

DKIM alignment with DMARC

The d= domain in the DKIM signature must match the From header domain:

  • Relaxed (adkim=r) - Organizational domain match. mail.example.com aligns with example.com.
  • Strict (adkim=s) - Exact domain match only.

See DMARC alignment for more details.

Product
DMARC monitoring
Hosted DMARC
Hosted SPF
Hosted MTA-STS
SPF flattening
Blocklist monitoring
Tools
Domain health checker
DMARC checker
SPF checker
DKIM checker
DMARC record generator
Email tester
Blocklist checker
Resources
Docs
Customers
Blog
Guides
Knowledge base
Contact
About

Suped

Privacy policy
Terms of service
© 2026 Suped Pty Ltd
LinkedInX