Skip to main content

What is DKIM? How it works and how to set it up

Published on July 3, 2026 8 min read

DKIM adds a digital signature to your outgoing email. Learn what DKIM is, how it works, how to set it up and how it fits with SPF and DMARC.

Flat vector illustration: a sent email carrying an amber seal as a digital signature, checked by a receiving server with a key and shield.

DKIM adds a digital signature to your outgoing email. Receiving mail servers use that signature to check whether a message genuinely comes from your domain and has not been altered along the way. This article explains what DKIM is, how signing and verification work, how to set it up and how it works together with SPF and DMARC.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is an open standard for email authentication, defined in RFC 6376. With DKIM, the sending mail server signs every outgoing message with a secret key. The recipient checks that signature using a public key that you publish as a DKIM record in your DNS.

Think of DKIM as a sealed envelope. The sender stamps the letter with a seal that only they can produce. The recipient can tell from the seal that the letter comes from the right sender and that nobody opened it in transit. If the seal does not match, something is wrong.

DKIM relies on a key pair: a private key that stays secret on the mail server and a public key that anyone may look up. Whatever is signed with the private key can only be verified with the matching public key. That is how the recipient knows for certain that the signature belongs to your domain.

Why does DKIM matter?

Without authentication, anyone can fairly easily send email that appears to come from your domain. This is called spoofing, and it is widely used for phishing and spam. DKIM makes that harder, because a forger does not have your private key and therefore cannot produce a valid signature.

A valid DKIM record also improves your deliverability. Mailbox providers such as Gmail, Yahoo and Microsoft factor in authentication when deciding whether a message lands in the inbox or the spam folder. Messages with a matching DKIM signature are trusted more often.

Since early 2024, Gmail and Yahoo have even required DKIM from senders who send large volumes of email, roughly 5,000 messages a day or more. Microsoft introduced similar requirements in May 2025. If you send a lot of newsletters or transactional email, a correct combination of SPF, DKIM and DMARC is no longer optional.

How does DKIM work?

DKIM has two sides: signing on the sending end and verification on the receiving end. In between sits your DNS, which holds the public key.

Signing

When your mail server sends a message, it calculates fingerprints (hashes) of the message body and of a set of header fields, such as the sender, the subject and the date. Those fingerprints are then signed with the private key.

The server adds an extra header to the message: the DKIM-Signature. It contains, among other things, the signing domain (the d= tag), the selector used (the s= tag), the list of signed fields (h=) and the signature itself (b=). This header travels with the message to the recipient.

Verifying

The receiving mail server reads the DKIM-Signature and sees which domain and selector were used. It then queries DNS for the public key at the name selector._domainkey.yourdomain.com.

Using that public key, the recipient recalculates the same fingerprints and compares them with the signature. If they match, the DKIM check passes: the message is authentic and unchanged. If the content was altered in transit or the key is missing, the check fails.

What does a DKIM record look like?

You publish the public key as a TXT record in your DNS. The name of that record consists of a selector, followed by _domainkey and your domain. A record for the selector default looks like this:

default._domainkey.yourdomain.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQ...AB"

The main parts are:

  • v=DKIM1 signals that this is a DKIM record. It is optional, but recommended.
  • k=rsa is the key type. RSA is by far the most common.
  • p= holds the public key itself, as a long string of base64 characters. The key above is shortened. A real key is much longer.

A selector is a label that points to a specific key. You may use several selectors, for example a separate selector per email service or to rotate keys without downtime. You choose the selector name yourself, or your mail server sets it for you.

Mind the length. A 2048-bit public key is around 400 characters long, while a text value in a TXT record may hold at most 255 characters per piece. Long keys are therefore stored in several pieces that are joined back together. Most DNS managers do this automatically.

Setting up DKIM

How you set up DKIM depends on where your email is handled. The broad outline is the same for every provider:

  1. Enable DKIM with whoever sends your outgoing email. They generate a key pair and choose a selector.
  2. Publish the public key as a TXT record in your domain's DNS, at the name selector._domainkey.yourdomain.com.
  3. Wait for the record to propagate. This can take 24 to 48 hours, depending on the TTL.
  4. Send a test message and check whether DKIM passes in the received email.

At LJPc hosting, email runs on Plesk. In Plesk, you enable DKIM per domain with a checkbox in the mail settings, for example "Use DKIM spam protection system to sign outgoing email messages". Plesk then creates the key pair itself and publishes the public key automatically as a TXT record in your zone. You do not have to add the key by hand.

If you manage your domain's DNS with a different provider, copy the TXT record generated by Plesk into your own DNS management. In the LJPc DNS manager you can also add TXT records yourself.

DKIM only covers your outgoing email. It is separate from your MX record, which instead decides which server receives email for your domain. Both are part of a complete email configuration, but they serve different purposes.

SPF, DKIM and DMARC together

DKIM is one of the three pillars of modern email security. The other two are SPF and DMARC. They complement each other and work best in combination.

  • SPF defines which servers may send email on behalf of your domain. It checks the envelope address, not the visible sender. Read more in our article on the SPF record.
  • DKIM places a digital signature on the message itself. That signature stays valid even when the message is forwarded.
  • DMARC ties SPF and DKIM to the visible From address and tells recipients what to do with suspicious email.

DMARC passes when SPF or DKIM passes and the checked domain matches the domain in the visible From address. This is called alignment. Because a DKIM signature survives forwarding while SPF often does not, DKIM is frequently the more reliable pillar for DMARC.

For solid protection, set up all three: SPF, DKIM and DMARC. Each record catches something the other two miss.

Common mistakes

A few things often go wrong when setting up DKIM. This table helps you recognise and fix them.

Common DKIM problems and how to solve them
ProblemCauseSolution
DKIM fails after forwardingAn intermediate server changed the messageOften unavoidable with forwarding. DMARC looks at SPF and DKIM together
Wrong selectorThe selector from the signature does not exist in your DNSCheck that the TXT record sits at the correct selector._domainkey name
Key cut offThe long public key was not published in fullPublish the entire p= value, in several pieces if needed
No alignmentThe domain in d= does not match the From addressSign with the same domain as in the visible sender

DKIM is not complicated once you grasp the setup: your mail server signs, your DNS holds the public key and the recipient checks. Together with SPF and DMARC, this keeps your email trustworthy and your domain protected. Still stuck? Contact support.

Frequently asked questions

Is DKIM mandatory?

Not by law, but often in practice. Since 2024, Gmail and Yahoo have required DKIM from senders of large volumes of email, and Microsoft has done the same since 2025. For smaller senders too, DKIM improves deliverability and limits abuse of your domain. Setting it up is therefore wise for almost everyone.

What is a DKIM selector?

A selector is a label tied to a specific public key. The recipient uses the selector from the signature to find the right key in your DNS, at the name selector._domainkey.yourdomain.com. Because you can use several selectors, you can rotate keys or let multiple services sign without getting in each other's way.

Can I have more than one DKIM key?

Yes. You may publish several DKIM records, each with its own selector. That is handy when different services send email on behalf of your domain, or when you want to replace an old key with a new one. Each key sits at its own selector._domainkey name.

Does DKIM also work with forwarded email?

Usually it does. Because the signature travels with the message, DKIM stays valid as long as the content does not change. That is an important difference from SPF, which often fails on forwarding because the forwarding server uses a different IP address. If an intermediate step does alter the message, the signature can still break.

What is the difference between SPF, DKIM and DMARC?

SPF defines which servers may send on behalf of your domain. DKIM signs the message so the recipient can verify it is genuine and unchanged. DMARC ties both to the visible sender address and decides what happens to suspicious email. Together they form the basis of modern email security.

How do I check whether DKIM works?

Send a test message to an account you can open, for example at Gmail. View the original source of the message there and look in the Authentication-Results header for dkim=pass. You can also query the public key directly with dig TXT selector._domainkey.yourdomain.com, or use an online DKIM checker.

Prefer to talk to someone?

We are also happy to answer your questions personally. Schedule a free consultation or call us directly. We are glad to think along with you.

Stay up to date with recent developments! Subscribe and receive our newsletter Signing up... Thank you for subscribing! Something went wrong. Please try again later.