What is the primary difference between a custom DKIM signature and a shared DKIM signature?

A custom DKIM signature uses your own domain name (e.g., example.com) in the DKIM record, rather than a shared domain provided by your Email Service Provider (ESP). This links your email directly to your brand, which helps with deliverability.

What are the key benefits of using a custom DKIM signature for my domain?

The main benefits include improved email deliverability due to enhanced trust with mailbox providers, better protection against spoofing and phishing, and greater control over your email sending reputation, especially if you switch ESPs. This helps to protect your domain reputation .

How do I set up a custom DKIM signature for my email sending?

Setting up a custom DKIM signature typically involves generating a public/private key pair, then publishing the public key as a TXT record in your domain's DNS settings. Your ESP will usually provide the specific record details and instructions tailored to their platform.

Should I use multiple custom DKIM signatures for different types of emails (e.g., marketing vs. transactional)?

Yes, using different DKIM signatures for various email streams (e.g., marketing vs. transactional) is a best practice. This helps mailbox providers assign reputation more accurately to each type of email traffic, preventing issues with one stream from negatively affecting others.

Do I need to rotate my custom DKIM keys regularly?

While not strictly necessary for basic functionality, rotating your DKIM keys periodically is a strong security recommendation. It reduces the risk of a compromised key being exploited over a long period. When you rotate DKIM keys , ensure you follow a careful process to maintain continuous authentication.

What is a custom DKIM signature and what are the benefits and best practices for using it? - Technical - Email deliverability - Knowledge base

Email authentication is a cornerstone of good deliverability, and DKIM (DomainKeys Identified Mail) is a critical component of that. While many email service providers (ESPs) offer default DKIM signing, using a custom DKIM signature for your domain provides a significant advantage. This approach allows you to directly control your email's digital fingerprint, establishing a stronger link between your sending domain and your messages.

A custom DKIM signature essentially serves as a unique seal of approval, telling receiving mail servers that the email truly originated from your domain and hasn't been tampered with during transit. It leverages cryptographic keys, with a private key used by the sender to sign the email and a public key published in your domain's DNS, allowing recipients to verify the signature. This process is vital for building and maintaining trust with inbox providers.

Understanding and implementing a custom DKIM signature is a fundamental step towards enhancing your email program's security and ensuring your messages reach the inbox reliably. It is a key part of a comprehensive email authentication strategy, working alongside SPF and DMARC to create a robust defense against spoofing and phishing attacks.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

How a custom DKIM signature works

A custom DKIM signature uses a pair of cryptographic keys, a private key and a public key. The private key resides on your sending server (or your ESP's server if they manage your DKIM), and it's used to generate a unique digital signature for each outgoing email. This signature is then added to the email's header. The public key, on the other hand, is published as a TXT record in your domain's DNS (Domain Name System).

When an email signed with your custom DKIM reaches a recipient's mail server, the server looks up your public key in your DNS records, typically by using a DKIM selector. For examples of selectors, you can review a list of common DKIM selectors. It then uses this public key to verify the digital signature on the incoming email. If the signature is valid, it confirms that the email has not been altered since it was signed by your domain's private key and that it genuinely originates from your specified domain. This authentication process helps to prevent email spoofing and phishing attacks, which often rely on sending emails that appear to be from legitimate sources but are, in fact, fraudulent.

The key (pun intended!) aspect of a custom DKIM signature is that it ties the email directly to your domain, not just the sending service. This is a critical distinction, as it provides a higher level of trust and authentication compared to shared DKIM signatures, which might use your ESP's domain in the signature. For a deeper dive into the mechanics, Mailgun's guide to DKIM provides excellent insights.

DKIM record example

DKIM TXT RecordDNS

selector1._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ...";

This is a typical example of a DKIM TXT record. The selector1 is the DKIM selector, _domainkey is a fixed prefix, and yourdomain.com is your domain. The p= tag contains the public key.

Benefits of using a custom DKIM signature

Using a custom DKIM signature offers several significant benefits, primarily centered around improving your email deliverability and protecting your brand. When you use your own domain for DKIM, you gain more control over your email reputation. This is because mailbox providers can accurately attribute sending behavior directly to your domain, rather than to a shared ESP domain.

A primary benefit is enhanced inbox placement. Mailbox providers like

Google and

Yahoo increasingly prioritize emails with proper authentication, including custom DKIM. This helps them filter out malicious emails, ensuring that legitimate messages reach their intended recipients. A custom signature signals to these providers that you are a legitimate sender, which can significantly reduce the chances of your emails being flagged as spam or rejected. The effect of turning on DKIM can be substantial.

Furthermore, a custom DKIM signature offers greater flexibility. If you ever decide to switch ESPs, having your own DKIM signature means you can transfer your established domain reputation more seamlessly. You simply update the DNS records to point to the new provider's private key, rather than relying on a shared signature that might be tied to your previous provider's infrastructure. This can minimize disruption to your email deliverability during migrations and gives you better control over your email sending identity.

Shared DKIM (ESPs)

Reputation shared: Your email reputation is tied to the ESP's sending infrastructure, potentially affecting your deliverability if other users on the same shared DKIM engage in poor sending practices. This is explored further in how one customer's signature affects others.
Less control: You have limited control over the DKIM keys and their rotation. Some ESPs use double DKIM signing as a fallback measure.
Brand perception: The DKIM signature domain might not align with your branding, which can subtly impact recipient trust.

Custom DKIM (Your Domain)

Independent reputation: Your email reputation is solely tied to your domain, offering greater stability and protection from others' sending habits. This impacts individual versus shared DKIM deliverability.
Full control: You manage your own DKIM keys, allowing for strategic rotation to enhance security and deliverability. Learn about changing DKIM selectors.
Consistent branding: Your DKIM signature aligns with your primary domain, reinforcing brand identity and trust for recipients.

Implementing a custom DKIM signature

Setting up a custom DKIM signature usually involves a few key steps. First, you'll need to generate a public and private key pair. Many ESPs or email sending platforms will provide tools or instructions to do this automatically. Some platforms, like

Amazon SES even offer options like Bring Your Own DKIM (BYODKIM) for more advanced control. This generation process creates a unique identifier, often called a selector, which helps recipient servers find the correct public key.

Once you have your public key, the next crucial step is to add it as a TXT record in your domain's DNS settings. This process can vary slightly depending on your DNS provider, but it generally involves logging into your domain registrar or DNS hosting provider's control panel and creating a new TXT record. The record will typically consist of the DKIM selector, the ._domainkey prefix, your domain, and the public key itself. For more details on configuring DKIM for custom domains, Microsoft provides a helpful guide.

After publishing the DNS record, it's essential to verify that your DKIM setup is correct. DNS changes can take some time to propagate across the internet, so patience is key. You can use online DKIM lookup tools to confirm that your public key is correctly published and accessible. A misconfigured DKIM record can lead to authentication failures, which negatively impact your deliverability. If you encounter issues like a DKIM body hash mismatch or no DKIM record found errors, it's crucial to troubleshoot them promptly.

Best practices for managing custom DKIM signatures

To maximize the benefits of custom DKIM, several best practices should be followed. Firstly, consider using different DKIM signatures for distinct types of email streams. For instance, transactional emails (like order confirmations) and marketing emails could use separate DKIM signatures. This segmentation helps mailbox providers understand the nature of your sending volume, allowing them to assign reputation more granularly. If one stream experiences an issue, it's less likely to negatively impact the deliverability of your other, critical email types. This also applies to setting up DKIM on a subdomain.

Regularly rotating your DKIM keys is another important security measure. While not strictly required for deliverability, it's a good security hygiene practice that limits the exposure of your private key in case of a breach. When rotating keys, ensure a smooth transition by having both old and new keys published in DNS for a period to allow for DNS propagation and caching. This ensures continuous authentication of your emails. More on DKIM key rotation and deliverability can be found here.

Finally, ensure your DKIM keys use appropriate lengths. While 2048-bit DKIM keys offer stronger security, 1024-bit keys are still widely supported. However, some providers may start deprecating shorter keys. Always consult your ESP's recommendations and industry best practices. Regular monitoring of your email deliverability, including DMARC reports, will help you identify any issues related to DKIM authentication failures and take corrective action, such as diagnosing and reducing DKIM temporary error rates.

DKIM and DMARC alignment

For your emails to pass DMARC, they must align with either SPF or DKIM. DKIM alignment occurs when the domain in the DKIM signature (the d= tag) matches the domain in the RFC5322.From header (the visible sender address). A custom DKIM signature ensures this alignment is with your actual sending domain, providing strong authentication. You can read more about how to use DKIM for DMARC compliance.

Views from the trenches

Best practices

Always use a custom DKIM signature for your sending domains to gain full control over your email reputation.

Segment your email streams and use different DKIM selectors or keys for different types of emails to isolate reputation.

Regularly rotate your DKIM keys as part of your security protocols, ensuring a smooth transition period.

Common pitfalls

Relying solely on shared DKIM signatures provided by your ESP, which can expose your deliverability to others' sending habits.

Not segmenting your email streams with different DKIM signatures, risking a single reputation pool for all emails.

Failing to rotate DKIM keys, which can lead to security vulnerabilities over time if a key is compromised.

Expert tips

For large organizations, managing multiple DKIM selectors across various sending platforms can become complex, but it is crucial for detailed reputation management.

If you are experiencing deliverability issues, checking your DKIM record for proper configuration and alignment is often one of the first troubleshooting steps.

Many email providers now mandate DMARC, which relies heavily on SPF and DKIM authentication. A robust DKIM setup is essential for DMARC compliance.

Expert view

Expert from Email Geeks says a custom DKIM signature is an email authentication mechanism that allows a sender to apply a digital signature to an email and associate that signature with a domain name.

2020-10-07 - Email Geeks

Expert view

Expert from Email Geeks says this mechanism uses asymmetric (public/private key) cryptography where the public key for verifying is stored in the DNS, and the private key which signs is kept with the sender.

2020-10-07 - Email Geeks

The path to better email authentication

In the world of email, where trust and authentication are paramount, a custom DKIM signature is not just a technical detail, but a fundamental building block for strong email deliverability and brand protection. It gives you direct control over your email's authenticity, ensuring that receiving servers recognize your messages as legitimate and from your domain.

By understanding how custom DKIM works, embracing its benefits, and adhering to best practices in implementation and management, you can significantly improve your chances of reaching the inbox. This proactive approach to email authentication minimizes the risk of your emails being flagged as spam or falling prey to spoofing attempts, ultimately strengthening your communication channels and fostering greater recipient trust.