DKIM Signatures: How They Work and Why They Matter
Learn what DKIM is, how DKIM signatures verify email, what selectors and public keys do, and how to fix common DKIM configuration problems.
Introduction
DKIM, or DomainKeys Identified Mail, adds a cryptographic signature to outgoing email. Receiving mail servers can use this signature to check whether the message was authorized by the sending domain and whether important parts of the message were changed after signing.
DKIM is usually configured by your email provider. The provider signs outgoing mail with a private key, while your DNS zone publishes the matching public key as a TXT record. If the DNS record is missing, wrong or published under the wrong selector, DKIM verification can fail.
Quick answer
DKIM adds a digital signature to outgoing email. The sending provider signs the message with a private key, and receivers verify it using a public key published in DNS. A working DKIM setup helps prove that email was authorized by the domain and was not modified after signing.
What is DKIM?
DKIM stands for DomainKeys Identified Mail. It is an email authentication method that uses cryptographic signatures to verify outgoing email.
A DKIM setup has two main parts:
Private key
Kept by the sending mail provider and used to sign outgoing messages.
Public key
Published in DNS as a TXT record so receiving servers can verify the signature.
Domain owners usually do not manually handle the private key. The email provider generates and manages it.
How DKIM works
- Your email provider creates a DKIM signature when sending a message.
- The signature is added to the email headers.
- The signature includes a selector and signing domain.
- The receiving server looks up the public key in DNS.
- The receiver verifies whether the signature matches the message.
- DKIM returns a result such as pass, fail or none.
If the message changes after signing, DKIM can fail because the signature no longer matches.
DKIM selector
A DKIM selector is a label used to find the correct DKIM public key in DNS. It lets a domain have more than one DKIM key at the same time.
default
default._domainkey.example.com
Other common selectors may look like: google, selector1, selector2, k1, mail, s1.
The selector must match the one used by the email provider. If the selector is wrong, receivers will not find the correct DKIM key.
DKIM DNS example
default._domainkey.example.com
TXT
v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE
- v=DKIM1 identifies the record as DKIM.
- k=rsa describes the key type.
- p= contains the public key.
- The real public key is usually much longer than the example.
Do not copy this example into production. Use the DKIM record generated by your email provider.
google._domainkey.example.com
selector1._domainkey.example.com
selector2._domainkey.example.com
dig default._domainkey.example.com TXT
dig google._domainkey.example.com TXT
dig selector1._domainkey.example.com TXT
These examples are illustrative. Use the exact selector and TXT value generated by your email provider.
Why this matters
DKIM matters because it helps receiving mail servers verify that an email was authorized by the sending domain and was not altered after signing. It is especially important for DMARC because a DKIM pass with alignment can help messages pass DMARC even when SPF alignment fails.
DKIM does not guarantee inbox placement by itself. Reputation, SPF, DMARC, content and receiver filtering still matter.
How to check DKIM
Use DKIM Checker to verify whether the expected selector publishes a valid DKIM public key.
When checking DKIM, review
These six checks help confirm DKIM is configured correctly.
Selector
Confirm the selector given by your email provider.
DKIM hostname
Check the full hostname, such as selector._domainkey.example.com.
Public key
Confirm the TXT record contains the full public key.
DNS visibility
Make sure the record is published at the active DNS provider.
Signing status
Confirm the mail provider is actually signing outgoing messages.
DMARC alignment
Check whether DKIM aligns with the visible From domain.
Check DKIM now
Use DKIM Checker to verify your selector, public key and DNS record.
Common problems
DKIM selector not found
HighThe DNS record for the expected selector does not exist.
Next step: Add the DKIM TXT record exactly as provided by your email provider.
DKIM record added at wrong hostname
HighThe TXT record may be published at the root domain instead of selector._domainkey.example.com.
Next step: Move the record to the correct DKIM hostname.
Public key is truncated
HighThe DKIM key may be incomplete because the long TXT value was copied or saved incorrectly.
Next step: Copy the full key from the provider and verify the public DNS result.
Wrong selector used
MediumThe checker or receiver is looking for a selector different from the one your provider uses.
Next step: Confirm the active selector in your mail provider settings.
DNS provider not active
MediumThe DKIM record was added in a DNS zone that is not authoritative.
Next step: Check nameservers and add the record at the active DNS provider.
Mail provider is not signing messages
HighThe DNS record exists, but outgoing mail is not being signed.
Next step: Enable DKIM signing in the email provider dashboard.
DKIM passes but DMARC fails
MediumDKIM may pass but not align with the visible From domain.
Next step: Check DKIM domain alignment and DMARC policy.
DKIM key is too old or weak
LowOlder keys may need rotation according to provider or security policy.
Next step: Rotate DKIM keys using the provider’s supported process.
How to fix DKIM
-
Step 1: Open your email provider DKIM settings
Find the DKIM setup page for Google Workspace, Microsoft 365, Zoho, hosting mail, transactional email or your mail platform.
-
Step 2: Get the selector and DNS record
Copy the selector and TXT value exactly as generated by the provider.
-
Step 3: Confirm active DNS provider
Check nameservers and make sure you add the DKIM record in the live DNS zone.
-
Step 4: Publish the DKIM TXT record
Add the TXT record at selector._domainkey.yourdomain.com.
-
Step 5: Enable DKIM signing
Some providers require you to verify the DNS record and then enable signing manually.
-
Step 6: Verify the selector
Use DKIM Checker to confirm the public key is visible.
-
Step 7: Send a test email
Check message headers or provider tools to confirm DKIM passes on real outgoing mail.
-
Step 8: Review DMARC alignment
Confirm DKIM uses a domain aligned with the visible From domain when possible.
DKIM and DMARC alignment
DKIM can help a message pass DMARC if the DKIM signing domain aligns with the visible From domain.
Example — visible From domain: example.com. Aligned DKIM domain: example.com or a valid subdomain depending on DMARC alignment mode.
A message can have DKIM pass but still fail DMARC if the signing domain does not align with the visible From domain.
DKIM key rotation
DKIM keys may need to be rotated over time for security or provider policy reasons. Key rotation means creating a new DKIM key, publishing the new DNS record, switching signing to the new key, and eventually removing the old key.
Do not delete old DKIM records before confirming the new selector is active and mail is signing correctly.
Frequently asked questions
What is DKIM?
DKIM is an email authentication method that adds a digital signature to outgoing mail so receivers can verify the message.
What is a DKIM selector?
A selector is a label used to find the correct DKIM public key in DNS, such as default._domainkey.example.com.
Where is the DKIM record added?
DKIM is usually added as a TXT record under selector._domainkey.yourdomain.com.
Can I have multiple DKIM selectors?
Yes. Multiple selectors can exist for different providers or during key rotation.
Does DKIM encrypt email?
No. DKIM signs email for authentication. It does not encrypt the message content.
Why does DKIM fail?
Common causes include missing DNS records, wrong selector, truncated public key, inactive DNS zone, unsigned mail or message changes after signing.
Does DKIM replace SPF or DMARC?
No. DKIM works together with SPF and DMARC as part of a complete email authentication setup.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!