The basics
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication standard defined in RFC 6376. It lets a sending mail server cryptographically sign outgoing messages using a private key, while the corresponding public key is published in DNS as a TXT record. Receiving mail servers can then verify the signature to confirm the message genuinely came from your domain and was not tampered with in transit.
Without DKIM, anyone can forge the From: header of an email and make it appear to originate from your domain. DKIM is one of the three pillars of modern email authentication alongside SPF and DMARC.
Under the hood
How DKIM works
- 1
Key pair generation
Your mail server (or email service provider) generates a public/private RSA or Ed25519 key pair.
- 2
DNS publication
The public key is published as a TXT record at selector._domainkey.yourdomain.com. The selector is a label you choose — common values are "default", "google", "k1", or "s1".
- 3
Signing outgoing mail
When your mail server sends a message, it hashes selected headers and the body, then signs that hash with the private key, adding a DKIM-Signature header to the email.
- 4
Verification by recipient
The receiving mail server reads the DKIM-Signature header, fetches your public key from DNS, and verifies the signature. A passing check confirms authenticity and integrity.
Configuration guide
How to set up a DKIM record
The exact steps depend on your mail server or email service provider, but the general process is the same everywhere.
Generate your keys
Most hosted email providers (Google Workspace, Microsoft 365, Mailchimp, SendGrid, Postmark, etc.) generate the key pair for you and show you the TXT record to publish. Self-hosted setups using Postfix + OpenDKIM require running opendkim-genkey.
Publish the TXT record
In your DNS provider's control panel, add a TXT record at selector._domainkey.yourdomain.com with the value provided. The value starts with "v=DKIM1;" and contains the base64-encoded public key in the p= tag.
Wait for propagation
DNS changes can take up to 48 hours to propagate globally, though they are usually visible within minutes. Use this tool to verify the record is live.
Test by sending an email
Send a test message to a Gmail address and check the original message headers — look for "DKIM: PASS". Tools like mail-tester.com or Google's Check MX can also validate end-to-end signing.
Reference
DKIM record format
A DKIM public key TXT record is a semicolon-delimited list of tag=value pairs published at selector._domainkey.domain:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
| Tag | Required | Description |
|---|---|---|
| v= | Required | Version — always DKIM1 |
| k= | Optional | Key type — rsa (default) or ed25519 |
| p= | Required | Base64-encoded public key data |
| t= | Optional | Flags: s = strict (no subdomain signing), y = testing mode |
| h= | Optional | Acceptable hash algorithms, e.g. sha256 |
| s= | Optional | Service type: * = any, email = email only |
| n= | Optional | Human-readable notes (ignored by verifiers) |
Troubleshooting
Common DKIM issues
Record not found
Double-check the selector name. Your email provider will tell you the exact selector to use — common values are "default", "google", "s1", "k1", or a date-based string like "20230601".
DKIM signature fails verification
This usually means the email body or headers were modified in transit (e.g. by a mailing list or forwarding service). It can also indicate a mismatch between the signing selector and the published DNS record.
Key too short (< 1024 bit)
Short RSA keys are considered insecure. Generate a new 2048-bit or 4096-bit key pair and update both your mail server configuration and the DNS record. Many providers now enforce a 1024-bit minimum.
t=y flag (testing mode) is set
The t=y flag tells receivers to treat the record as being in test mode and not enforce policy on failures. Remove this flag in production.
Multiple DKIM records for the same selector
Each selector must have exactly one TXT record. If you have multiple TXT records at the same name, verifiers may fail unpredictably. Consolidate them into one.
DMARC fails despite DKIM passing
For DMARC alignment, the domain in the DKIM d= tag must match (or be a subdomain of) the RFC 5322 From: domain. Check that your signing configuration uses the correct d= value.
Key types
RSA vs Ed25519 for DKIM
DKIM supports two key types. RSA has been the standard since the protocol was published, while Ed25519 is a newer option defined in RFC 8463.
RSA
+Universal support across all mail servers
+Recommended minimum: 2048-bit
−Larger DNS record
−Weaker per-byte than Ed25519
Ed25519
+Much smaller key and signature
+Stronger security at 256 bits
+Faster to sign and verify
−Not yet supported by all receivers
−Should be paired with an RSA record as fallback