ValidEmailChecker

What is DKIM and how does it authenticate your email?

Last updated May 19, 2026Deliverability

DKIM stands for DomainKeys Identified Mail. It is the cryptographic counterpart to SPF. Where SPF says "this IP is allowed to send for my domain," DKIM says "this exact message was signed by the holder of my domain's private key and has not been tampered with in transit."

How DKIM works

You generate a public/private key pair. The private key stays with your ESP or mail server. The public key gets published as a TXT record in your DNS under a selector (something like selector1._domainkey.yourdomain.com).

On send, your mail server adds a DKIM-Signature header to the outbound message. The header contains:

  • The selector. Tells receivers where to look up the public key.
  • The signing domain. Your domain.
  • The hashing algorithm. Usually SHA-256.
  • A signature. A hash of the message body and certain headers, encrypted with the private key.

The receiver fetches your public key from DNS, decrypts the signature, recomputes the hash from the actual message, and compares. A match means the message is authentic. A mismatch means the message was tampered with or spoofed.

Why DKIM matters

SPF only verifies the sending IP. It cannot detect message-level tampering, and it breaks when messages get forwarded (the forwarding server's IP is not in your SPF). DKIM closes both gaps:

  • Tamper detection. Even one altered character in a signed header invalidates the signature.
  • Forwarding survival. A signed message stays signed through legitimate forwarding. The signature travels with the message body, not the network path.
  • Required for DMARC alignment. DMARC needs either SPF or DKIM to pass with the correct domain alignment. DKIM is usually the easier of the two to align.

Check yours

Our free DKIM record checker reads your DKIM record from DNS, validates the syntax, and flags common issues. That covers incomplete records, wrong key length, and malformed selectors.

If you do not have DKIM yet, the DKIM record generator walks through generating a key pair and gives you the DNS record to publish.

Related questions

What is an SPF record and why does it matter for email deliverability?
What is DMARC and why does Gmail now require it?
How to set up DKIM authentication for your domain
How to improve email deliverability (complete checklist)
Back to all FAQs

Still stuck? Email support