Summary
DKIM (DomainKeys Identified Mail) is an email authentication mechanism that adds a digital signature to email headers. This signature, verified against a public key in the DNS record, confirms the sender's identity and ensures the message's integrity. DKIM prevents spoofing and phishing, improves deliverability by building trust with mailbox providers, and enhances sender reputation. Key practices include using 2048-bit keys, regular rotation, monitoring DKIM reports, integrating with DMARC/SPF, and signing different mail streams with unique signatures to categorise emails.
Key findings
- Purpose: DKIM validates email source and integrity using digital signatures.
- Mechanism: It uses asymmetric cryptography with public keys in DNS records.
- Benefits: It prevents spoofing, improves deliverability and enhances sender reputation.
- DMARC: DKIM is a crucial component of DMARC.
- Mail Streams: Different mail streams (corporate, marketing, etc.) can use custom DKIM signatures.
Key considerations
- Key Length: Use 2048-bit or greater keys for strong security.
- Key Rotation: Regularly rotate DKIM keys to mitigate compromise risks.
- Monitoring: Monitor DKIM reports to detect authentication issues.
- Testing: Test DKIM setup with online checkers.
- Implementation: Configure email servers to sign outgoing messages.
What email marketers say
15 marketer opinions
A custom DKIM signature is a digital signature added to email headers that authenticates the sender and ensures the message's integrity. DKIM helps prevent email spoofing and phishing, improves deliverability by building trust with mailbox providers, and enhances sender reputation. Best practices include using a key length of 2048 bits, regularly rotating keys, monitoring DKIM reports, and implementing DKIM as part of a broader email authentication strategy with SPF and DMARC. Custom DKIM signatures can be used to categorize mail streams for different parts of the business improving deliverability further.
Key opinions
- Definition: DKIM is an email authentication mechanism that uses a digital signature to verify the sender's identity and ensure message integrity.
- Deliverability: DKIM improves email deliverability by helping mailbox providers differentiate legitimate senders from spammers.
- Spoofing Protection: DKIM protects against email spoofing and phishing attacks by making it harder for malicious actors to impersonate legitimate senders.
- DMARC Integration: DKIM is a crucial component of DMARC, providing a strong defense against email-based attacks when implemented together.
- Brand Reputation: Properly implemented DKIM enhances brand reputation by ensuring emails are authenticated and domains are protected from spoofing.
Key considerations
- Key Length: Use a DKIM key length of at least 2048 bits for optimal security.
- Key Rotation: Regularly rotate DKIM keys to minimize the impact of potential key compromise.
- Monitoring: Monitor DKIM reports to identify and address any authentication issues.
- Setup Process: Setting up DKIM involves generating a key pair, adding the public key to DNS, and configuring the email server to sign outgoing messages.
- Mail Stream Categorisation: Consider custom DKIM signatures to categorize mail streams by separating emails for different parts of the business for enhanced deliverability.
Marketer view
Email marketer from SparkPost shares that DKIM is important for improving email deliverability. When you DKIM sign your emails, you are telling mailbox providers that you are a legitimate sender and that your emails should be delivered to the inbox, not the spam folder. This builds trust between the sender and the receiver.
6 Mar 2022 - SparkPost
Marketer view
Marketer from Email Geeks explains that different types of messages within your mail streams (e.g. corporate, marketing email, service desk) should have their own different custom DKIM signatures. If the autoresponder emails are not marketing related, then they should have a different signature. The objective is to help receivers understand the different types of email you are sending out.
19 Oct 2023 - Email Geeks
What the experts say
2 expert opinions
DKIM (DomainKeys Identified Mail) is a method for validating the source and integrity of email messages. It uses cryptographic signatures to verify that an email originated from the claimed domain and has not been altered during transit. This process involves adding a digital signature to the email header, which receiving servers can validate against the sender's public key in the DNS record. Implementing DKIM helps to prevent email spoofing and phishing attacks, improving deliverability and building trust with recipients.
Key opinions
- Validation of Source: DKIM provides a method for validating the source of email messages.
- Integrity Verification: It verifies that an email has not been altered during transit.
- Prevention of Spoofing: DKIM helps prevent email spoofing and phishing attacks.
- DNS Validation: The digital signature is validated against the sender's public key published in the DNS record.
Key considerations
Expert view
Expert from Spamresource answers that the purpose of DKIM is to provide a way for receiving email servers to verify that an email message was indeed sent from the domain it claims to be from and that the message has not been altered in transit. This is done by adding a digital signature to the email header, which the recipient's server can then validate against the sender's public key published in the DNS record.
5 Oct 2021 - Spamresource
Expert view
Expert from Word to the Wise explains that DomainKeys Identified Mail (DKIM) provides a method for validating the source and integrity of email messages. It uses cryptographic signatures to verify that an email has not been altered during transit and that it originated from the claimed domain. Implementing DKIM helps to prevent email spoofing and phishing attacks, improving deliverability and building trust with recipients.
1 Apr 2023 - Word to the Wise
What the documentation says
4 technical articles
DKIM (DomainKeys Identified Mail) is a mechanism that allows email senders to digitally sign their messages, attaching a cryptographic signature to the email header. Receiving servers can then verify this signature against the sender's public key published in the DNS record, confirming that the message truly came from the claimed sender, was not altered during transit, and that the domain takes responsibility for the message. This process provides an authentication framework for email, increasing trust and preventing spoofing.
Key findings
- Digital Signatures: DKIM involves attaching a digital signature to outgoing email messages.
- Verification Process: Receiving servers verify the signature using the sender's public key from the DNS record.
- Message Integrity: DKIM confirms that messages were not altered during transit.
- Sender Authentication: DKIM confirms that messages truly came from the claimed sender.
- Spoofing Prevention: DKIM helps prevent email spoofing by ensuring the message's authenticity.
Key considerations
Technical article
Documentation from Microsoft explains that DKIM works by adding a digital signature to the header of an email message. This signature is encrypted with the sender's private key and can be verified by the recipient's mail server using the sender's public key, which is published in the DNS record. If the signature matches, the email is authenticated.
26 Dec 2021 - Microsoft
Technical article
Documentation from Google explains that DKIM signing lets you attach a digital signature to your outgoing messages. Receiving servers can then use DKIM to verify that messages weren't altered during transit and truly came from your domain. When you use DKIM, your domain takes responsibility for your messages. This increases trust and helps prevent spoofing.
22 Apr 2025 - Google
Are people using 4096-bit DKIM keys, and what is the recommended DKIM key length?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do DKIM selectors affect email reputation?
Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
