DKIM Signatures: How They Work and Why They Matter

Learn what DKIM is, how DKIM signatures verify email, what selectors and public keys do, and how to fix common DKIM configuration problems.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

DKIM, or DomainKeys Identified Mail, adds a cryptographic signature to outgoing email. Receiving mail servers can use this signature to check whether the message was authorized by the sending domain and whether important parts of the message were changed after signing.

DKIM is usually configured by your email provider. The provider signs outgoing mail with a private key, while your DNS zone publishes the matching public key as a TXT record. If the DNS record is missing, wrong or published under the wrong selector, DKIM verification can fail.

Quick answer

Quick answer

DKIM adds a digital signature to outgoing email. The sending provider signs the message with a private key, and receivers verify it using a public key published in DNS. A working DKIM setup helps prove that email was authorized by the domain and was not modified after signing.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is an email authentication method that uses cryptographic signatures to verify outgoing email.

A DKIM setup has two main parts:

Private key

Kept by the sending mail provider and used to sign outgoing messages.

Public key

Published in DNS as a TXT record so receiving servers can verify the signature.

Domain owners usually do not manually handle the private key. The email provider generates and manages it.

How DKIM works

  1. Your email provider creates a DKIM signature when sending a message.
  2. The signature is added to the email headers.
  3. The signature includes a selector and signing domain.
  4. The receiving server looks up the public key in DNS.
  5. The receiver verifies whether the signature matches the message.
  6. DKIM returns a result such as pass, fail or none.

If the message changes after signing, DKIM can fail because the signature no longer matches.

DKIM selector

A DKIM selector is a label used to find the correct DKIM public key in DNS. It lets a domain have more than one DKIM key at the same time.

Example selector
default
Example DKIM hostname
default._domainkey.example.com

Other common selectors may look like: google, selector1, selector2, k1, mail, s1.

The selector must match the one used by the email provider. If the selector is wrong, receivers will not find the correct DKIM key.

DKIM DNS example

Host
default._domainkey.example.com
Type
TXT
Value
v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE
  • v=DKIM1 identifies the record as DKIM.
  • k=rsa describes the key type.
  • p= contains the public key.
  • The real public key is usually much longer than the example.

Do not copy this example into production. Use the DKIM record generated by your email provider.

Google-style selector example
google._domainkey.example.com
Microsoft-style selector examples
selector1._domainkey.example.com
selector2._domainkey.example.com
Check commands
dig default._domainkey.example.com TXT
dig google._domainkey.example.com TXT
dig selector1._domainkey.example.com TXT

These examples are illustrative. Use the exact selector and TXT value generated by your email provider.

Why this matters

Why this matters

DKIM matters because it helps receiving mail servers verify that an email was authorized by the sending domain and was not altered after signing. It is especially important for DMARC because a DKIM pass with alignment can help messages pass DMARC even when SPF alignment fails.

DKIM does not guarantee inbox placement by itself. Reputation, SPF, DMARC, content and receiver filtering still matter.

How to check DKIM

Use DKIM Checker to verify whether the expected selector publishes a valid DKIM public key.

When checking DKIM, review

These six checks help confirm DKIM is configured correctly.

Selector

Confirm the selector given by your email provider.

DKIM hostname

Check the full hostname, such as selector._domainkey.example.com.

Public key

Confirm the TXT record contains the full public key.

DNS visibility

Make sure the record is published at the active DNS provider.

Signing status

Confirm the mail provider is actually signing outgoing messages.

DMARC alignment

Check whether DKIM aligns with the visible From domain.

Check DKIM now

Use DKIM Checker to verify your selector, public key and DNS record.

Run DKIM Check →

Common problems

DKIM selector not found

High

The DNS record for the expected selector does not exist.

Next step: Add the DKIM TXT record exactly as provided by your email provider.

DKIM record added at wrong hostname

High

The TXT record may be published at the root domain instead of selector._domainkey.example.com.

Next step: Move the record to the correct DKIM hostname.

Public key is truncated

High

The DKIM key may be incomplete because the long TXT value was copied or saved incorrectly.

Next step: Copy the full key from the provider and verify the public DNS result.

Wrong selector used

Medium

The checker or receiver is looking for a selector different from the one your provider uses.

Next step: Confirm the active selector in your mail provider settings.

DNS provider not active

Medium

The DKIM record was added in a DNS zone that is not authoritative.

Next step: Check nameservers and add the record at the active DNS provider.

Mail provider is not signing messages

High

The DNS record exists, but outgoing mail is not being signed.

Next step: Enable DKIM signing in the email provider dashboard.

DKIM passes but DMARC fails

Medium

DKIM may pass but not align with the visible From domain.

Next step: Check DKIM domain alignment and DMARC policy.

DKIM key is too old or weak

Low

Older keys may need rotation according to provider or security policy.

Next step: Rotate DKIM keys using the provider’s supported process.

How to fix DKIM

  1. Step 1: Open your email provider DKIM settings

    Find the DKIM setup page for Google Workspace, Microsoft 365, Zoho, hosting mail, transactional email or your mail platform.

  2. Step 2: Get the selector and DNS record

    Copy the selector and TXT value exactly as generated by the provider.

  3. Step 3: Confirm active DNS provider

    Check nameservers and make sure you add the DKIM record in the live DNS zone.

  4. Step 4: Publish the DKIM TXT record

    Add the TXT record at selector._domainkey.yourdomain.com.

  5. Step 5: Enable DKIM signing

    Some providers require you to verify the DNS record and then enable signing manually.

  6. Step 6: Verify the selector

    Use DKIM Checker to confirm the public key is visible.

  7. Step 7: Send a test email

    Check message headers or provider tools to confirm DKIM passes on real outgoing mail.

  8. Step 8: Review DMARC alignment

    Confirm DKIM uses a domain aligned with the visible From domain when possible.

DKIM and DMARC alignment

DKIM can help a message pass DMARC if the DKIM signing domain aligns with the visible From domain.

Example — visible From domain: example.com. Aligned DKIM domain: example.com or a valid subdomain depending on DMARC alignment mode.

A message can have DKIM pass but still fail DMARC if the signing domain does not align with the visible From domain.

DKIM key rotation

DKIM keys may need to be rotated over time for security or provider policy reasons. Key rotation means creating a new DKIM key, publishing the new DNS record, switching signing to the new key, and eventually removing the old key.

Do not delete old DKIM records before confirming the new selector is active and mail is signing correctly.

Frequently asked questions

What is DKIM?

DKIM is an email authentication method that adds a digital signature to outgoing mail so receivers can verify the message.

What is a DKIM selector?

A selector is a label used to find the correct DKIM public key in DNS, such as default._domainkey.example.com.

Where is the DKIM record added?

DKIM is usually added as a TXT record under selector._domainkey.yourdomain.com.

Can I have multiple DKIM selectors?

Yes. Multiple selectors can exist for different providers or during key rotation.

Does DKIM encrypt email?

No. DKIM signs email for authentication. It does not encrypt the message content.

Why does DKIM fail?

Common causes include missing DNS records, wrong selector, truncated public key, inactive DNS zone, unsigned mail or message changes after signing.

Does DKIM replace SPF or DMARC?

No. DKIM works together with SPF and DMARC as part of a complete email authentication setup.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.