What is DKIM?
DKIM (DomainKeys Identified Mail) cryptographically signs each outgoing message. The receiver fetches your public key from DNS and verifies the signature, proving the message was authorized by someone who controls your domain — and that it wasn't modified in transit.
How it works
- Your mail server (Google Workspace, M365, SendGrid, etc.) generates an RSA or Ed25519 keypair.
- It publishes the public key at a known DNS location:
<selector>._domainkey.<your-domain>. - When sending a message, it computes a signature over the headers and body using the private key and adds a
DKIM-Signature:header. - Receivers parse the header, fetch your public key, and verify the signature.
What a DKIM record looks like
selector1._domainkey.example.com TXT
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."Selectors
The "selector" lets you publish multiple keys for the same domain — useful for key rotation (publish the new one, switch signing, retire the old). Every ESP picks its own selector name; see the selector cheat sheet or use the DKIM Selector Finder to discover what's published for a domain.
Key length
Use 2048-bit RSA keys. 1024-bit is fine but ageing; below 1024 is considered broken and receivers may downgrade or fail the signature.
DKIM doesn't prevent spoofing on its own
A spammer who controls a different domain can sign their own mail with their own DKIM — the signature will validate, just not as you. DKIM only proves "this message wasn't tampered with after the signer signed it." To tie DKIM authentication to the From: address users see, you need DMARC.