What Is DKIM
Learn what DKIM is, how email signing works, selectors, public keys in DNS, and how DKIM supports DMARC alignment.
Introduction
DKIM proves a message was authorized by the signing domain and that key signed parts were not changed in transit.
DKIM works with selectors — short names that identify which public key to use. Providers often use multiple selectors for rotation.
Quick answer
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email. Receiving servers verify the signature using a public key published in DNS at selector._domainkey.yourdomain.com. Your email provider signs messages with the matching private key.
What it means
When a provider signs mail, it adds a DKIM-Signature header. Receivers look up the selector in DNS and verify the signature mathematically.
- Private key — held by mail provider, signs outgoing mail
- Public key — published in DNS as TXT or CNAME
- Selector — identifies which key (from DKIM-Signature header)
- DKIM pass — signature verified successfully
- DMARC can pass when DKIM aligns with the From domain
Where you see this:
- Google Workspace, Microsoft 365 and hosted email
- Transactional and marketing email platforms
- DMARC alignment strategies
- Anti-tampering checks by mailbox providers
default._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
Why this matters
Without DKIM, receivers trust less and DMARC alignment through DKIM is unavailable. Broken DNS keys or disabled signing cause authentication failures and spam filtering.
How to check it
- Enable DKIM signing in your email provider.
- Run DKIM Checker with the selector from provider docs or message headers.
- Confirm DNS record at selector._domainkey.yourdomain.com.
- Send test mail and check Authentication-Results for dkim=pass.
- Verify DMARC alignment if using DMARC policies.
Check DKIM record
Use DKIM Checker to verify the selector and public key published in DNS.
Common mistakes
Selector not found in DNS
HighDKIM-Signature references a selector with no public key published.
Next step: Publish the correct TXT or CNAME at selector._domainkey.
DKIM key copied incorrectly
HighTruncated or misquoted public key in DNS.
Next step: Republish the full key exactly as the provider shows.
Provider not signing messages
HighDKIM enabled in DNS but outbound mail is unsigned.
Next step: Turn on DKIM signing in the provider admin panel.
DKIM record at wrong hostname
HighKey published on root or wrong selector name.
Next step: Use selector._domainkey.domain format from provider.
Old DKIM key deleted too early
MediumKey rotation removed old selector while mail still in queue uses it.
Next step: Keep old selector until provider confirms rotation complete.
Example
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
Frequently asked questions
What is a DKIM selector?
A short name in the DKIM-Signature header that tells receivers which DNS public key to use.
Is DKIM a TXT or CNAME record?
Depends on provider. Some use TXT with the public key; others use CNAME to delegate the key.
Does DKIM encrypt email?
No. DKIM signs parts of the message for authentication; it does not encrypt content.
Can forwarded mail break DKIM?
Yes. Some forwards modify content or headers, which can invalidate the signature.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Glossary guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!