Glossary Guides

What Is DKIM

Learn what DKIM is, how email signing works, selectors, public keys in DNS, and how DKIM supports DMARC alignment.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 5 min read Beginner

Introduction

DKIM proves a message was authorized by the signing domain and that key signed parts were not changed in transit.

DKIM works with selectors — short names that identify which public key to use. Providers often use multiple selectors for rotation.

Quick answer

Quick answer

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email. Receiving servers verify the signature using a public key published in DNS at selector._domainkey.yourdomain.com. Your email provider signs messages with the matching private key.

What it means

When a provider signs mail, it adds a DKIM-Signature header. Receivers look up the selector in DNS and verify the signature mathematically.

  • Private key — held by mail provider, signs outgoing mail
  • Public key — published in DNS as TXT or CNAME
  • Selector — identifies which key (from DKIM-Signature header)
  • DKIM pass — signature verified successfully
  • DMARC can pass when DKIM aligns with the From domain

Where you see this:

  • Google Workspace, Microsoft 365 and hosted email
  • Transactional and marketing email platforms
  • DMARC alignment strategies
  • Anti-tampering checks by mailbox providers
Example
default._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

Why this matters

Why this matters

Without DKIM, receivers trust less and DMARC alignment through DKIM is unavailable. Broken DNS keys or disabled signing cause authentication failures and spam filtering.

How to check it

  1. Enable DKIM signing in your email provider.
  2. Run DKIM Checker with the selector from provider docs or message headers.
  3. Confirm DNS record at selector._domainkey.yourdomain.com.
  4. Send test mail and check Authentication-Results for dkim=pass.
  5. Verify DMARC alignment if using DMARC policies.

Check DKIM record

Use DKIM Checker to verify the selector and public key published in DNS.

Run DKIM Check →

Common mistakes

Selector not found in DNS

High

DKIM-Signature references a selector with no public key published.

Next step: Publish the correct TXT or CNAME at selector._domainkey.

DKIM key copied incorrectly

High

Truncated or misquoted public key in DNS.

Next step: Republish the full key exactly as the provider shows.

Provider not signing messages

High

DKIM enabled in DNS but outbound mail is unsigned.

Next step: Turn on DKIM signing in the provider admin panel.

DKIM record at wrong hostname

High

Key published on root or wrong selector name.

Next step: Use selector._domainkey.domain format from provider.

Old DKIM key deleted too early

Medium

Key rotation removed old selector while mail still in queue uses it.

Next step: Keep old selector until provider confirms rotation complete.

Example

DKIM DNS example
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."

Frequently asked questions

What is a DKIM selector?

A short name in the DKIM-Signature header that tells receivers which DNS public key to use.

Is DKIM a TXT or CNAME record?

Depends on provider. Some use TXT with the public key; others use CNAME to delegate the key.

Does DKIM encrypt email?

No. DKIM signs parts of the message for authentication; it does not encrypt content.

Can forwarded mail break DKIM?

Yes. Some forwards modify content or headers, which can invalidate the signature.

Use these free tools to verify your configuration after applying changes.

Browse all Glossary guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.