What is DKIM?

DKIM is an email authentication method which allows for cryptographic validation to ensure some parts of the email message were not tampered with or spoofed. For example, it helps ensure the sender address(es) were not spoofed. DKIM stands for DomainKeys Identified Mail.

When combined with SPF and DMARC, DKIM plays a critical role in preventing email spoofing.

How does it work?

When you send an email message, your email server adds a "DKIM-Signature" header to the message envelope. It uses a "private key" to create this digital signature based on fields of its choosing ("From" is required to be signed). This private key is not shared with recipients.

Recipient email servers use the "public key" published in your domain's DNS records to verify that the signature is valid and that the signed fields haven't been tampered with. If so, DKIM validation passes for your message. Otherwise, it fails, and your DMARC policy should instruct the recipient email server what to do with the message.

The "DKIM-Signature" header is not visible to normal users. You can see it if you inspect the email message source (just like you can inspect the source code of a website). It's a header used by email servers along the delivery path to cryptographically validate the integrity of the message.

Example DKIM Record

Your DKIM record is placed in your domain's DNS. It's basically just the public key that receiving email servers will use to crypographically validate the DKIM signature in email messages said to be from your domain. Here is an example of a DKIM record:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApJu1UQtmvtg8pbm5gMD0OHIbCidSW1Kq44L7ZGgnirYdqs6JOayo31AumP2KExhfdVSCDcfvcNJFXF42rtK3n0g/+92ygLLjywpOuJbRiSYjTMYqtDOk9LggEsCZCC3DLWtRM4AnpiWWk6T4KiA56tmLtpEw+PvGBJ6Iog/5Y3kO6689B4xXcLw434v76M76RXZZP51hRFHi9aLSgnjMk+hPS/DDy82J1yMqtZmg0i+MxCkgu5NJjwEYR6JP2xza2Vr/mXNdCo4YOspwGT9FWiyFDQCjiZiT6V+vdFro4UuNI8S/b/6jw9/nUV5uY1Bs1sXRgveqATGPU+x/ruU6RwIDAQAB