Table of contents

DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

Starting in 2004 from merging two similar efforts, “enhanced DomainKeys” from Yahoo and “Identified Internet Mail” from Cisco and has since been widely adopted for email authentication.

DKIM gives emails a signature header that is added to the email and secured with encryption. This DKIM signature acts as a tamper-proof seal for an email to verify that it has actually come from the domain it says it does and that it hasn’t been tampered with.

To use DKIM, email servers are configured to attach special signatures to the emails they send. These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination.

Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of keys. The originating email server has what is called the “private key,” which can be verified by the receiving mail server or ISP with the other half of the keypair, called the “public key.”

DKIM selectors are found in the DKIM-Signature header and indicate where the public key portion of the DKIM keypair exists in DNS.