Smart. Focused. Email.
Fast, cross-platform email designed to filter out the noise - so you can focus on what's important.
Definition
💡 DKIM (DomainKeys Identified Mail): An email authentication method that adds a digital signature to your outgoing messages, proving you actually sent them and they weren't modified in transit. DKIM verifies that the email was indeed sent and authorized by the owner of that domain. Think of it like a tamper-evident seal on a package.
Why DKIM matters
Spammers and phishers love impersonating legitimate domains. They'll send emails that look like they're from your bank, your boss, or a trusted service. DKIM stops this.
DKIM addresses a gap that SPF cannot fill: while SPF verifies that a message came from an authorized IP address, it says nothing about whether the message body or headers were tampered with. Someone could intercept your email mid-route and change the content. DKIM catches that.
Email clients like Spark check DKIM signatures automatically when receiving mail. Spark syncs these settings from the provider's side - if the provider flags it as Spark due to the absence of DKIM, and moves it to Spam, Spark will also display this message in the Spam folder. Pass DKIM, and your emails look legitimate. Fail it, and spam filters get suspicious fast.
In most cases, DKIM signatures are not visible to end-users; the validation is done on a mail server level. You never see it working, but it's running on every single email you send and receive.
How DKIM works
DKIM uses public-key cryptography. You generate two keys: a private key that stays on your mail server, and a public key that you publish in your DNS records.
When you send an email, your server signs it with the private key. The receiving server can verify the signature by looking up the sender's public key in DNS. If the signature matches, the email's legitimate. If it doesn't match or the signature's missing, red flags go up.
The signature covers specific parts of your email: headers like From, To, Subject, and the message body. If even a single character of the signed content changes, the signature becomes invalid. That's the tamper detection working.
DKIM selectors let you use multiple keys for one domain. The selector is a specialized value issued by the email service provider used by the domain. Format looks like this: selector._domainkey.yourdomain.com. Different sending services can have different selectors, and you can rotate keys without breaking everything.
Setting up DKIM
Your email service provider usually handles most of this. Gmail, Outlook, Mailchimp, and other major providers either enable DKIM automatically or walk you through setup in their admin dashboard.
For Gmail (Google Workspace): You must wait 24 to 72 hours after turning on Gmail before you can get your DKIM key in the Admin console. Go to Apps > Google Workspace > Gmail > Authenticate email, generate your DKIM key, then add the TXT record to your DNS.
For custom mail servers: Generate a 2048-bit RSA key pair, publish the public key as a TXT record at selector._domainkey.yourdomain.com, and configure your mail server to sign outgoing messages with the private key.
New DNS records need to propagate, which can take up to 48 hours. Usually it's done in a few hours. Use a DKIM checker tool to verify it's working.
Common DKIM questions
Does DKIM guarantee my emails won't go to spam?
No. Adding a DKIM signature doesn't guarantee delivery, but it significantly boosts the odds of a positive outcome. DKIM proves authenticity, but spam filters also check content, sender reputation, engagement, and other factors.
What happens if my DKIM signature fails?
Signature verification failure does not force rejection of the message. Most receiving servers add an authentication header noting the failure and factor it into their spam scoring. Repeated failures hurt your sender reputation.
Do I need DKIM if I already have SPF?
Yes. SPF and DKIM protect different things. SPF verifies the sending server's IP address. DKIM verifies message integrity and domain ownership. Use both. Add DMARC on top for complete protection.
How often should I rotate DKIM keys?
DKIM keys do not expire, but you should rotate them periodically; we suggest every 12 months. Generate a new key with a new selector, add it to DNS, switch your mail server to use it, then remove the old one after a few days.
Can I use the same DKIM key for multiple domains?
Technically yes, but don't. Each domain should have its own DKIM key pair. Sharing keys across domains weakens security and makes key rotation messier.
What's a good DKIM selector name? Anything short and descriptive works. Common choices: default, mail, s1, google, or something like marketing2025 if you're running multiple sending sources. Your email provider might assign one automatically.
Related content
- How to write a professional email
- Phrases you should never use in a professional email
- How to create a professional email address
- 12 useful rules for improving your email etiquette
Related terms