What is DKIM? - How it Works & Explained

Strengthening Email Security and Preventing Spoofing

The digital landscape is teeming with threats. One of the most common challenges organizations face is the infiltration of their email systems. Cybercriminals use spoofing techniques to impersonate legitimate senders and deceive recipients. This is where DKIM comes to the rescue, providing a robust mechanism to verify the authenticity and integrity of email messages.

What is DKIM?

DKIM is short for DomainKeys Identified Mail. It is an email authentication method that uses public-key cryptography to verify the legitimacy of email messages. It allows email recipients to check if an email they received originated from the claimed sender domain, and if the message content has remained intact during transit.

What is a DKIM Record?

A DKIM record is a text-based DNS (Domain Name System) document containing a public key to authenticate outgoing email messages from a specific domain.

This record is published in the domain's DNS zone and accessed by the recipient's mail server during the DKIM verification process.

What is a DKIM Record Check?

A DKIM record check involves verifying the DKIM signature of an email message against the DKIM public key stored in the sender's domain DNS.

During this process, the recipient's mail server uses the public key to decrypt the DKIM signature and compare it with the message's hash value. The email is authentic only if the signature is valid and matches the calculated hash.

What is a DKIM Signature?

A DKIM Signature is a digital signature on an email message's header or body applied by the sender's mail server. This signature contains information about the signing domain, the cryptographic algorithm used, and the signature itself. The recipient's mail server uses the DKIM public key to validate the signature and ensure the message's authenticity.

What is a DKIM Selector?

A DKIM Selector is a unique identifier included in the DKIM signature. It helps the recipient's mail server locate the correct DKIM public key from the sender's domain DNS. Selectors enable a single domain to have multiple DKIM keys for different purposes, such as various email systems or third-party email services.

How Does DKIM Work?

Let's walk through a simple example to illustrate how DKIM works:

Imagine you're running a company called ABC Corp and want to send an important email to one of your clients. To ensure the email's authenticity and integrity, you decide to implement DKIM.

  1. Generating the DKIM Key Pair: First, you generate a DKIM key pair consisting of a private key and a corresponding public key. The private key is kept securely on your mail server, while the public key will get published in your domain's DNS.

  2. Configuring DNS: Now, you include the DKIM public key as a DKIM record in your domain's DNS zone. This record contains the selector (a unique identifier), key size, and the cryptographic algorithm used. It allows the recipient's mail server to retrieve the public key during DKIM verification.

  3. DKIM Signing: When you compose the email, your mail server signs it with the private key associated with the DKIM selector and domain. This generates a DKIM signature which gets added as a DKIM-Signature header field in the email.

  4. Verification at the Recipient's End: 

    1. Once you've sent the email, your client's mail server retrieves the DKIM-Signature header field from the email during the DKIM verification process.

    2. Next, it retrieves the public key from your domain's DNS using the selector specified in the DKIM-Signature header. The public key decrypts the DKIM signature and calculates the hash value of the email.

    3. If the decrypted signature matches the calculated hash and the signature is valid, the email is considered authentic and has not been tampered with during transit.

This example demonstrates how DKIM provides an additional layer of trust and security in email communication. By verifying the DKIM signature, the recipient can be confident that the email originated from ABC Corp and the content has remained unchanged.

Using DKIM to Prevent Email Spoofing

By implementing DKIM, organizations can mitigate the risk of email spoofing and protect their brand reputation. Here's how DKIM helps prevent email spoofing:

  1. Authentication: DKIM verifies the authenticity of email messages, ensuring that they originated from the claimed sender domain.
  2. Integrity: DKIM confirms that the email content has not been tampered with during transit. Any modifications to the email will result in an invalid signature.
  3. Reputation Management: Email receivers can use DKIM to assess the reputation of the sender's domain. Consistent use of DKIM builds trust and reduces the likelihood of legitimate messages labeled as spam.

How Do I Implement DKIM in My Domain?

  • Use a DKIM key generator tool or a DKIM service provider to create a DKIM key pair consisting of a private key (kept securely on your mail server) and a corresponding public key.
  • Publish the DKIM public key as a DKIM record in your domain's DNS zone. Include details such as the selector, key size, and cryptographic algorithm.
  • Configure your mail server to sign outgoing emails with the private key associated with the DKIM selector and domain.


DKIM and SPF (Sender Policy Framework) are both email authentication mechanisms but serve different purposes:

DKIM verifies the authenticity and integrity of an email message using digital signatures while SPF verifies if the sending server is authorized to send emails on behalf of a specific domain.

Additionally, DKIM focuses on the sender's identity, while SPF focuses on the IP address authorized to send emails to a domain.


DKIM and DMARC (Domain-based Message Authentication, Reporting, and Conformance) work together to enhance email authentication and security. DMARC adds a layer of protection by specifying the action when an email fails DKIM or SPF authentication. It enables domain owners to set policies on the handling of non-compliant emails.


Q: Is DKIM a foolproof method to prevent email spoofing?

DKIM significantly reduces the risk of email spoofing, but it is not a foolproof solution. It should be used in conjunction with other email authentication protocols, such as SPF and DMARC, to enhance security.

Q: Can DKIM be retroactively applied to previously sent emails?

No. DKIM signatures must be added to emails at the time of sending.

Q: Can DKIM prevent email interception or encryption of email content?

No, DKIM does not prevent email interception or encryption of email content. Its primary function is to verify the authenticity and integrity of the email message.

Q: Does all email providers and clients support DKIM?

Most email providers and clients support DKIM. However, it's essential to check the specific requirements and guidelines of each provider to ensure successful implementation.