Suped

Does DKIM signature verification involve a DNS lookup?

Yes, absolutely. The DKIM (DomainKeys Identified Mail) verification process is entirely dependent on performing a DNS lookup. Without a DNS lookup, a receiving mail server would have no way to find the public key required to verify an email's signature. It's a fundamental part of how DKIM is designed to work.

Think of it like this: DKIM attaches a digital signature to your emails. This signature is created using a secret, private key. To check if that signature is valid, the receiver needs the corresponding public key. The public key isn't sent with the email; instead, it's published in your domain's DNS records, where anyone can find it. This is where the DNS lookup becomes essential.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

How the DKIM verification process uses DNS

When you send an email with DKIM enabled, your sending mail server uses a private key to generate a unique signature. This signature is added to the email's headers in a field called DKIM-Signature. When the email arrives at its destination, the receiving server kicks off the verification process.

www.nslookup.io logo
NsLookup.io says:
Visit website
When email is received, the receiving mail server examines the DKIM-Signature header field and performs a DNS lookup to retrieve the DKIM record...

The process follows these general steps:

  • Reading the header: The receiving server reads the DKIM-Signature header to find two crucial pieces of information: the signing domain (specified in the d= tag) and the selector (the s= tag).
  • Constructing the query: It combines the selector and the domain to form a specific DNS hostname. For example, if the selector is google and the domain is example.com, it will look for a record at google._domainkey.example.com.
  • Performing the DNS lookup: The server then queries the DNS for a TXT record at that specific hostname.
  • Verifying the signature: If a record is found, it will contain the public key. The server uses this key to check the email's signature. If the signature is valid, DKIM passes. If not, it fails.
www.mailgun.com logo
Mailgun says:
Visit website
The DKIM signature is then verified by recipient servers against the public key stored in the DNS records of the sender's domain.

The structure of a DKIM DNS record

The DNS record that holds the public key is a simple TXT record. This is a deliberate design choice to use existing, well-established DNS infrastructure. As the official RFC 6376 for DKIM specifies, the only defined query type for DKIM is 'txt'.

www.hostinger.com logo
Hostinger Tutorials says:
Visit website
A DKIM record is a DNS TXT entry containing a public key for email verification by recipient servers. It comprises elements like a name, version, and key type.

Inside this TXT record, you'll find a series of tags. The most important ones are:v=DKIM1, which specifies the version; k=rsa, which indicates the key type (usually RSA); and p=, which contains the actual public key data. The selector allows a domain to have multiple DKIM keys, which is useful for key rotation or for allowing different email service providers to send on your behalf, each with their own unique signature.

What happens when a DKIM DNS lookup fails?

If the receiving server cannot perform the DNS lookup successfully, the DKIM check cannot be completed. This will almost always result in a DKIM failure. This can happen for a few common reasons:

nureply.com logo
Nureply says:
Visit website
Common issues during a DKIM lookup include incorrect DNS configuration, where the DKIM record is either missing or improperly formatted, leading to...

A failure doesn't necessarily mean the email will be blocked outright, but it removes a critical layer of trust. When combined with DMARC, a DKIM failure can instruct the receiving server to quarantine or even reject the message. Therefore, ensuring your DKIM records are correctly published in DNS is vital for good email deliverability.

Start improving your email deliverability today

Get started