What is DKIM?

DomainKeys Identified Mail, is like a digital signature for emails. It helps verify that an email actually came from the sender it claims to be from, making it harder for spammers to fake emails and enhancing email security.


DKIM, or DomainKeys Identified Mail, is an email authentication method that uses cryptographic techniques to verify the authenticity of an email's sender domain. It adds a digital signature to the email header, generated using a private key unique to the sending domain. Recipient servers can then use the public key published in the sending domain's DNS records to verify the signature. If the signature is valid, it confirms that the email originated from the claimed sender domain and hasn't been tampered with during transit. DomainKeys Identified Mail helps prevent email spoofing and phishing attacks by providing a mechanism for recipients to verify the legitimacy of incoming emails.

Examples of DKIM DNS records

DKIM public key record (TXT record)

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcZvJMr90P4U2mti8RQfI9RfA/6zQr1P6pE3L5LzF9uI2p4ZsPQ9bRYKCdDKrFoA2ZvN+r3xY4tUCdGn0n1K3wH86xKYdP9ySKyJzgZ7sGsMxqyr3b0LEOhYtJf06dPFz2xN/YmPc/diD5T6I5gafCCxI+B0XUcIvX/7/BsyviJz9wIDAQAB

Selector record (TXT record)

default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcZvJMr90P4U2mti8RQfI9RfA/6zQr1P6pE3L5LzF9uI2p4ZsPQ9bRYKCdDKrFoA2ZvN+r3xY4tUCdGn0n1K3wH86xKYdP9ySKyJzgZ7sGsMxqyr3b0LEOhYtJf06dPFz2xN/YmPc/diD5T6I5gafCCxI+B0XUcIvX/7/BsyviJz9wIDAQAB"

DKIM policy record (TXT record)

_policy._domainkey.example.com. IN TXT "v=DKIM1; p=reject"

These records include the public key used for DKIM signing, selector record indicating the location of the public key, and the DKIM policy record specifying the action to take if DKIM verification fails (in this case, 'reject'). These records are typically published in the DNS (Domain Name System) settings of the sending domain.

