Fundamentals · DKIM

What is DKIM?

DomainKeys Identified Mail is the digital signature on your emails — it proves that the content and sender were not altered on the way to the recipient.

The idea in one sentence

Your mail server adds a cryptographic signature to every outgoing message. The recipient fetches your public key from DNS and checks whether the signature matches.

Your mail server signs with private key Recipient server verifies signature DNS public key email with signature fetches key, verifies hash
DKIM signs at the sender, verifies at the recipient

What exactly is signed?

DKIM forms a hash over a configurable part of the message — typically the body and important headers like From, To, Subject, Date. The hash is signed with your private key and attached to the mail as an extra DKIM-Signature header.

Example DNS record

; TXT record for selector1._domainkey.firma.at
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN…"

The key fields:

Selectors — why?

A selector is a name placed before ._domainkey. in DNS. It lets you operate multiple keys at the same time — handy for key rotation or when several services (e.g. CRM and mail server) sign separately.

DKIM survives forwarding. While SPF often breaks on forwarding, the DKIM signature stays valid — as long as the mail content is not modified. That is a central argument for DKIM.

DKIM alone is not enough

DKIM proves: this message was issued by someone with access to the signing domain's key and was not altered in transit. But it says nothing about whether the visible From address matches the signing domain. Only DMARC checks this alignment.

Practical tips

Frequently asked questions

What is a DKIM selector?

A subdomain prefix under which the public key is published, e.g. selector1._domainkey.example.com. Senders can run multiple selectors in parallel — useful for uninterrupted key rotation.

What key length is safe?

RSA with at least 2048 bits is today's standard. 1024 bits has been considered too weak for years. Ed25519 is a modern short key type but is not yet validated everywhere.

How do I rotate DKIM keys without downtime?

Use the dual-selector pattern: publish a new selector, switch the sender over, leave the old selector active for 1–2 weeks, then remove it.

What happens with automatic forwarding?

DKIM signatures usually survive simple forwarding because they are not based on the sender IP. That is an advantage over SPF, which typically fails on forwarding.

Why does the d= tag matter?

The d= tag of the DKIM signature identifies the signing domain. For DMARC it must align with the From domain — otherwise DKIM counts as failed from DMARC's perspective, even if the signature is cryptographically valid.