Learn · email signature glossary

DKIM

TL;DR

DKIM (DomainKeys Identified Mail) is an email authentication method in which the sending server cryptographically signs each message, and receivers verify the signature against a public key published in the sender's DNS.

DKIM stands for DomainKeys Identified Mail. When your mail server sends a message, it adds a DKIM-Signature header: a cryptographic signature computed over the message body and selected headers using a private key. The matching public key is published as a DNS TXT record at selector._domainkey.yourdomain.com. The receiving server fetches that key and verifies the signature. A valid signature proves two things: the message was authorized by the domain that signed it, and the signed content was not modified in transit.

Re: In practice

Why it matters

DKIM is the tamper seal on your email. It survives forwarding better than SPF (which breaks when a message is relayed through another server) and it is one of the two checks DMARC relies on, so you cannot reach an enforced DMARC policy without it. For deliverability, mailbox providers now treat a valid DKIM signature as table stakes; Google and Yahoo both require it from bulk senders. In practice you enable DKIM in your email platform (Google Workspace and Microsoft 365 both generate the keys for you), publish the DNS record they give you, and rotate keys occasionally. One signature caveat is relevant here: some mailing lists and gateways that rewrite message content invalidate DKIM, which is a reason signature-injection appliances that modify messages after signing can hurt deliverability.

Ready to create your email signature?

Free generator, no account required. Works in Gmail, Outlook, and Apple Mail.

Try Free Generator