What is DKIM (DomainKeys Identified Mail)?

Definition

DomainKeys Identified Mail is one of the three pillars of modern email authentication, working alongside SPF and DMARC. While SPF answers the question of whether a message came from an authorized server, DKIM answers two slightly different questions. It confirms that the message was approved by someone who controls the sending domain, and it confirms that nobody tampered with the message after it was sent.

DKIM achieves this with public-key cryptography. The sending domain holds a private key that is kept secret on its mail infrastructure, and it publishes a matching public key in the Domain Name System for anyone to read. When the domain sends a message, its mail server uses the private key to generate a digital signature over selected parts of the email and adds that signature to the message as a hidden header. When the message arrives, the receiving server fetches the public key from DNS and uses it to check the signature. Because only the holder of the private key could have produced a signature that the public key validates, a passing DKIM check is solid evidence that the message is authentic and intact.

How It Works

DKIM relies on a pair of cryptographic keys. A private key is generated for the domain and stored securely on the sending mail system, and the corresponding public key is published as a DNS TXT record. That record sits at a special location built from a label called a selector, in the form selector._domainkey.yourdomain.com. The selector exists so that a domain can publish several keys at once, which is useful for assigning a separate key to each sending service and for rotating keys safely over time.

When the domain sends a message, its mail server selects which parts of the email to protect. This always includes the message body and a chosen set of header fields, commonly From, To, Subject, Date, and others. The server computes a hash of the body and a hash across the chosen headers, then uses the private key to sign that data, producing the signature. All of this is recorded in a new header called DKIM-Signature, which is added to the message. That header carries the signing domain in a d= tag, the selector in an s= tag, the list of signed headers in an h= tag, the body hash in a bh= tag, and the signature itself in a b= tag.

On the receiving side, the server reads the DKIM-Signature header, takes the domain and selector, and looks up the matching public key record in DNS. It then recomputes the body hash and the header hash using exactly the same headers listed in h=, and it uses the public key to verify that the signature in b= matches that recomputed data. If the correct private key was used and none of the signed content was changed in transit, the signature validates and DKIM passes. If any signed header or the body was modified, the hashes no longer match and the check fails. One practical consequence is that the signature only covers the headers explicitly listed, and it remains valid only as long as intermediate mail systems do not alter the signed portions of the message.

Why It Matters for Email Deliverability

DKIM is a strong, persistent trust signal for mailbox providers. A consistently valid DKIM signature tells a provider that a real domain stands behind the mail and is willing to be held accountable for it, which helps that mail earn a place in the inbox. Just as importantly, DKIM has a quality that SPF lacks. Because the signature travels inside the message itself rather than depending on the connecting server, DKIM usually survives email forwarding, whereas SPF often breaks when a message is forwarded. That makes DKIM the more durable of the two checks across complex delivery paths.

DKIM is also a building block for DMARC. DMARC passes when either SPF or DKIM passes and the result aligns with the visible From domain, so a properly signed DKIM message gives a domain a reliable path to DMARC alignment. Since the 2024 sender requirements from Google and Yahoo, bulk senders are expected to authenticate with both SPF and DKIM, and mail that arrives without a valid DKIM signature is far more likely to be filtered or rejected. A correctly configured DKIM setup has shifted from a best practice into a baseline expectation for anyone sending email at scale.

How VeriMails Handles It

DKIM and email verification protect deliverability from two different directions, and a healthy email program needs both. DKIM authenticates the messages you send, proving to receiving servers that the mail is genuine and unaltered. Email verification cleans the audience you send to, making sure every address on your list is real and reachable. Authentication without a clean list still produces bounces, and a clean list without authentication still looks untrustworthy, so the two work as a pair.

VeriMails concentrates on the recipient side of that pair. Every address you submit is run through syntax validation, an MX and DNS lookup, a live SMTP handshake, catch-all detection, disposable address detection, and role-based detection, which removes the invalid addresses that would otherwise bounce and damage the reputation your DKIM, SPF, and DMARC records exist to defend. To support the authentication side too, VeriMails offers a free DKIM generator that creates a key pair and the DNS record you need to publish. You can verify a list through the REST API or a bulk CSV upload, with clear deliverability categories for campaign decisions. Verification starts at $0.0019 per email, with 10,000 credits for $19 and subscriptions from $15 per month, and every account begins with 100 free credits, no credit card required, that never expire.

Frequently Asked Questions