What Is Domain Keys Identified Mail (DKIM) & How It Works

BySuryanarayan Pal


Linkedin logo
Twitter logo
copy link
Facebook logo
Whatsapp logo
Pinterest logo
mail logo

Kings in the old times would send letters to each other with a stamp. If the stamp were intact, it would indicate that the letter hasn't been tampered with. Similar to the stamp, to ensure that email content is not tampered with, a DKIM signature signs emails.

This article covers everything you need to know about DomainKeys Identified Mail (DKIM).

Table of contents

What is DKIM?

Domain Keys Identified Mail (DKIM) is an email security standard that ensures messages are not modified while traveling between the recipient and sending servers. DKIM permits organizations to take responsibility for transmitting a message in a way a recipient can verify.

The organization can be the originating website, intermediary, etc. Their reputation is the basis for evaluating whether or not to trust the message for delivery.

What is a DKIM Signature?

DKIM gives emails a signature header that is added to the email and secured with encryption. Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and a pair of DKIM keys encrypt it.

The signature looks something like this:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=mpd3pejeeqmlqs7ztigzi2y23flpbcyg;; t=1660826081;; h=Content-Type:List-Unsubscribe:From:To:Reply-To:Subject:Message-ID:Date:MIME-Version; bh=FBdoN7RR/uuaFsk9yZaueugs8lII6HyF3+PDrHFBgtM=; b=GOl88uQNxDM2iCkM5bQPPI8rasQr08GlNDZ8A+hJxHDKrWoJWw4xYGZRNR8+ko6L rDpzN892Phjmrb5kwhCIeTJmI3m7PWnj4CrEjZds+Q+g+2PBqcWK73QxN+F5wXggGuD oRr7cAA1MgpJWdYYdNB5b9g/rCI2++EVsKUXtWTI=

The originating email server has the 'private DKIM key,' which can be verified by the receiving mail server or ISP with the other half of the keypair, called the 'public DKIM key.'

These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination.

Why should you authenticate emails with DKIM?

DKIM is among the top three must-have authentication protocols, and that's for good reason as it impacts the deliverability and reputation of your domain.

Some of the reasons behind getting your domain DKIM authenticated are as follows:

Get this pre-send checklist to hit send with confidence

An interactive checklist to send error-free emails

• Maintains the legitimacy of the sender

When you have a DKIM signed email, it signals to ISPs that the email is not tampered with. This helps improve your reputation as a sender as it seems legitimate to the receiver's server.

The better your sender's reputation will be, the more you'll land in the recipient's inbox, leading to higher deliverability.

• Protect your domain and secure your email

DKIM prevents email spoofing sent from your domain. When DKIM authenticates your emails, every outgoing message will hold the DKIM signature. This signature will ensure that the email content is not tampered with. Hence, keep your email away from spoofed domains.

• Get in the good books of ISPs

ISPs are the major contributing factor in deciding where to land your email. Having your emails signed by DKIM is one of the best ways to catch their eyes and show them that you are a verified sender and the content is not tampered with.

The more you show ISPs that your content and sending domain are genuine, the more you'll see your emails land in the inbox.

How does DKIM work?

DKIM is added as a signature to your email's header once it's verified by both the sender and receiver's server.

The signature is verified using a private and public cryptographic key. The private key is safe and hosted on your server or your ESPs. As it's private, only you can have access to it.

To validate the DKIM signature, ISPs look at the public key hosted on your organization's DNS record. This record is public and can be accessed by anyone to verify the legitimacy of your sender's domain.

The process looks like this:

A domain owner publishes a cryptographic public key as a specially-formatted TXT record in the domain's overall DNS records.

On the sender's server end.

When an email is sent, the domain generates a private key. This key contains all the information the mail server needs to verify your messages.

On the receiver's server end.

When the recipient server receives a DKIM signed email, it utilizes the public key published to DNS to check the source message and the message body. It is done to check if any changes were made during the transit.

Once the recipient server verifies the signature with the public key, the message is deemed authentic. After that, it is passed on to the ESP.

Verification of DKIM signed messages. For any email, the signature from DKIM is like a tamper-proof seal. The signature shows that it has come from the original domain and hasn't been tampered with. Every email sent is attached with a signature which is specially configured from the email servers to use the DKIM.

What is the DKIM record?

When an email is sent, there may be an intervention in the pipeline by a hacker. This may result in the email content getting forged. So, to address this issue, anti-spam bodies have conceptualized the DKIM record.

This happens with the help of a simple encoding and decoding method as follows:

  • Sender level

The email combines with a private key available at the sender server software to form an email signature. This signature is sent to the recipient along with the actual message.

  • Recipient level

There's a Domain Name System (DNS) record published in the world, available as the public key. The DNS record looks as follows: | TXT | v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPtW5iwpXVPiH5FzJ7Nrl8USzuY9zqqzjE0D1r04xDN6qwziDnmgcFNNfMewVKN2D1O+2J9N14hRprzByFwfQW76yojh54Xu3uSbQ3JP0A7k8o8GutRF8zbFUA8n0ZH2y0cIEjMliXY4W4LwPA7m4q0ObmvSjhd63O9d8z1XkUBwIDAQAB

In the above example, "v" is the DKIM version, and "p" is the public key. This public key encodes the email signature, and the incoming email is compared with the decoded email. If the two match, that indicates the email hasn't been tampered with.

Note: If DKIM isn't passed, no authoritative action is taken. The email will still get delivered. But, if DKIM fails, the deliverability still gets impacted as ISPs might take it as a negative signal and land your emails in the junk folder.

How to set up your own DKIM key?

Here's what you need to do to set up your own DKIM key.

  • The signee must add code in the appropriate agent to perform signing, and they ought to modify their DNS administrative tools to allow the creation of DKIM key records.

  • A validator must add code to the appropriate agent and then feed the result into the portion of their system needing it, like a filtering engine.

  • A valid signature doesn't imply that the mail is acceptable for delivery. Acceptability requires an assessment phase. Therefore, signature validation results are fed into a vetting mechanism which is a part of the validator's filter.

You can read more about the deployment of DKIM here.

DKIM for AMP email approval from email clients

If you want to reap the benefits of sending out interactive AMP emails, you will have to get whitelisted with Yahoo Mail, Gmail, and, which support AMP emails.

For a successful whitelisting of your sender address, these email clients require DKIM.

Is Mailmodo compatible with DKIM?

Yes, Mailmodo is compatible with DKIM. Our email specialists team helps you understand the importance of security certifications and build your IP & domain reputation for high email deliverability.

We help our users to set up DKIM without any hassle to help them get whitelisted for AMP email from email clients.

Get a sample AMP email in your inbox

Experience the power of interactivity right now


Security certifications increase your sender's reputation and provide you with better email deliverability. But, DKIM alone doesn't alone help you achieve that. Other authentication protocols, such as SPF, DMARC, and BIMI, are also required to leave a great impression on the ISPs.

To help you, we have written a complete guide on email authentication protocols. Go check it out and make your emails spoofing-free.

What you should do next

Hey there, thanks for reading till the end. Here are 3 ways we can help you grow your business:

  1. Talk to an email expert. Need someone to take your email marketing to the next level? Mailmodo's experts are here for you. Schedule a 30-minute email consultation. Don't worry; it's on the house. Book a meet here.

  2. Send emails that bring higher conversions. Mailmodo is an ESP that helps you to create and send app-like interactive emails with forms, carts, calendars, games, and other widgets for higher conversions. Get started for free.

  3. Get smarter with our email resources. Explore all our knowledge here and learn about email marketing, strategies, best practices, growth hacks, case studies, templates, and more. Access guides here.

What should you do next?

Thanks for reading till the end. Here are 3 ways we can help you grow your business:


Get smarter with our email resources

Explore our email marketing guides, ebooks and other resources to master email marketing.


Do better email marketing with Mailmodo

Send app-like interactive emails with forms, carts, calendars, games, etc. to boost email ROI.


Talk to an email expert

Get a 30-min. free email consultation with a Mailmodo expert to optimize your email marketing.

Was this post useful?

Improve your email marketing

With interactive emails, smarter automation workflows, AI-powered email content and higher conversions