What is DKIM? Email Authentication Explained
Learn how DKIM (DomainKeys Identified Mail) works, what a DKIM key is, and how to set it up to protect your emails from spoofing and improve deliverability.
DKIM (DomainKeys Identified Mail) is an email authentication method that allows receiving mail servers to verify that an email was actually sent by the domain it claims to be from and that the message wasn't altered in transit.
Think of DKIM as a digital signature for your emails—like a wax seal on a letter that proves it's authentic and hasn't been tampered with.
How DKIM Works
DKIM uses cryptographic authentication to validate emails. Here's the process:
1. The Sending Server Signs the Email
When you send an email, your email server adds a DKIM signature to the email header. This signature is created using a private key that only your server knows.
2. The Signature is Added to Headers
The DKIM signature includes a hash of specific email components (like the subject, body, and sender) and is added to the email headers as a "DKIM-Signature" field.
3. The Receiving Server Verifies
When the email arrives, the receiving server looks up your domain's public DKIM key in DNS, then uses it to verify the signature. If everything matches, the email passes DKIM authentication.
4. Delivery Decision
Passing DKIM verification improves your sender reputation and deliverability. Failing or missing DKIM may result in emails being flagged as suspicious or sent to spam.
Technical Detail
DKIM uses asymmetric cryptography (public/private key pairs). The private key stays secure on your mail server, while the public key is published in your DNS records for anyone to verify.
What Does a DKIM Record Look Like?
A DKIM record is a TXT record in your DNS that contains your public key. Here's an example:
default._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKK68hawSJfliq9vKD6czJ..."
# Breaking down the components:
# v=DKIM1 -> DKIM version
# k=rsa -> Key type (RSA encryption)
# p=MIGfMA0... -> Public key (base64 encoded)Selector Names
The "default" in default._domainkey is called a selector. You can use different selectors to rotate keys or separate different email streams (e.g., marketing, transactional).
Why DKIM Matters for Email Deliverability
Prevents Email Spoofing
DKIM makes it nearly impossible for spammers to forge emails from your domain. The cryptographic signature can't be replicated without your private key.
Improves Deliverability
Major email providers (Gmail, Outlook, Yahoo) use DKIM as a trust signal. Emails with valid DKIM signatures are more likely to reach the inbox.
Protects Brand Reputation
By preventing domain spoofing, DKIM protects your brand from being used in phishing attacks that could damage your reputation.
Enables DMARC
DKIM is a prerequisite for implementing DMARC, which provides even stronger email authentication and reporting capabilities.
Gmail & Yahoo Requirements
As of February 2024, Gmail and Yahoo require DKIM authentication for bulk senders (5,000+ emails/day). Even if you send less, implementing DKIM is considered a best practice.
What Does a DKIM Signature Look Like?
When you send an email, the DKIM signature is added to the email headers. Here's what it looks like:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yourdomain.com; s=default;
h=from:subject:date:message-id:to;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
b=GJwP3Qr8KqKKKNT5HL8j3fjXvLEm9KmZs6YdO2KqEqr...
# Key components:
# v=1 -> DKIM version
# d=yourdomain.com -> Signing domain
# s=default -> Selector (matches DNS record)
# h=from:subject... -> Headers included in signature
# bh=frcCV1... -> Hash of email body
# b=GJwP3Q... -> The actual signatureHow Plunk Simplifies DKIM
Setting up DKIM manually can be complex, but Plunk makes it automatic:
Automatic Key Generation
Plunk automatically generates secure DKIM key pairs for your domain when you add it to your account.
Simple DNS Setup
We provide the exact DNS records you need to add—just copy and paste into your DNS provider.
Automatic Signing
Every email you send through Plunk is automatically signed with DKIM. No configuration needed.
Verification & Monitoring
Plunk verifies your DKIM setup and monitors authentication status for all your emails.
Ready in Minutes
Most Plunk users have DKIM fully configured and working within 5-10 minutes. Our dashboard guides you through every step.
DKIM Best Practices
✓ Use 2048-bit Keys
While 1024-bit keys still work, 2048-bit keys provide better security and are recommended by Gmail and other providers.
✓ Implement SPF and DMARC Too
DKIM works best when combined with SPF and DMARC for comprehensive email authentication. Use all three for maximum protection.
✓ Monitor DKIM Status
Regularly check that your DKIM signatures are passing. Most email platforms provide authentication reports.
✓ Rotate Keys Periodically
For enhanced security, rotate your DKIM keys every 6-12 months. Plan key rotation carefully to avoid delivery disruptions.
✗ Don't Share Private Keys
Your DKIM private key should never be shared or stored insecurely. Treat it like a password.
✗ Don't Use the Same Key Across Domains
Each domain should have its own unique DKIM key pair for security and proper authentication.
DKIM vs SPF: What's the Difference?
DKIM and SPF are both email authentication protocols, but they work differently and check different things:
| Feature | DKIM | SPF |
|---|---|---|
| What it validates | Email content integrity | Sending server authorization |
| How it works | Cryptographic signature in headers | IP address check against DNS list |
| Survives forwarding | Yes (if content unchanged) | No (forwarded IP changes) |
| DNS record type | TXT at selector._domainkey.* | TXT at root domain |
| Required for DMARC | Yes (one of SPF/DKIM required) | Yes (one of SPF/DKIM required) |
Use Both for Maximum Protection
DKIM and SPF complement each other. SPF covers scenarios where DKIM can't (like forged server IPs), and DKIM covers forwarding scenarios where SPF breaks. Implementing both—plus DMARC—gives you complete email authentication coverage.
How to Test Your DKIM Setup
After setting up DKIM, verify it's working correctly using these methods:
1. Check the Email Headers
Send a test email and view the raw message headers. Look for the DKIM-Signature header and the Authentication-Results header which shows whether DKIM passed or failed:
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourdomain.com header.s=default header.b=GJwP3Qr8;
spf=pass (google.com: domain of you@yourdomain.com designates 1.2.3.4 as permitted sender);
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=yourdomain.com2. Use DNS Lookup Tools
Verify your DKIM public key is correctly published in DNS by querying your DKIM TXT record:
# Check your DKIM record via DNS
dig TXT default._domainkey.yourdomain.com
# Or using nslookup
nslookup -type=TXT default._domainkey.yourdomain.com3. Send to Gmail and Check
Send a test email to a Gmail address, then click the three-dot menu and select "Show original". The "Summary" at the top will show DKIM: PASS or DKIM: FAIL, confirming your setup is working.
Common DKIM Issues
If DKIM fails, check that: (1) The DNS record uses the correct selector name, (2) The record hasn't been truncated by your DNS provider (long keys may need to be split), (3) DNS propagation is complete (can take up to 48 hours), and (4) Your email service is configured to sign with the correct private key.