Sender logo
  • Log in
  • Start With Free Plan
    Grow your business, not your expenses
    Turn curious visitors into devoted fans and drive more sales – no cost to get started!
    • Free Forever plan for 2,500 subscribers and up to 15,000 emails/month
    • Free & responsive email templates library
    • Free popups & forms
    • Intuitive drag-and-drop email builder
    • Unlimited automation and segmentation
    • Premade automation workflows
Start free
Menu

DKIM Record

Deliverability & Technical Infrastructure

DKIM Record: What It Is & How It Works

A DKIM record is a DNS text entry that stores a public cryptographic key — used by receiving mail servers to verify that an email genuinely came from the claimed domain and hasn’t been tampered with in transit. It’s one of the three pillars of email authentication, sitting alongside SPF and DMARC.

DKIM, which stands for DomainKeys Identified Mail, is an email authentication method that uses public-key cryptography to sign emails and verify that the message body and attachments were not altered in transit.

The key word there is integrity. DKIM doesn’t just verify where an email came from — it also confirms that the content wasn’t changed between the sender’s server and the recipient’s inbox. Think of it like a tamper-evident seal on a package. If the seal is broken, something happened in transit. If it’s intact, you can trust the contents arrived as sent.

How DKIM Works: Public and Private Keys

DKIM operates on a public/private key pair — a concept from cryptography that shows up throughout digital security.

The email provider generates both a public key and a private key. The private key is kept secret by the sender, who uses it to sign each outgoing message. The public key is stored in the domain’s DNS as the DKIM record.

When a receiving server gets an email, it retrieves the public key from DNS and uses it to verify the signature — if the correct private key was used and the content hasn’t been altered, the email passes the DKIM check.

The process, step by step:

  1. The sending server signs the outgoing email with the private key, generating a unique hash
  2. That signature is added invisibly to the email’s header
  3. The receiving server queries the sender’s DNS for the public DKIM key
  4. It uses that key to decrypt the hash and compare it with its own version
  5. If they match — DKIM passes. If not — something changed, and the email fails authentication

Neither the sender nor the recipient sees any of this. It all happens server-to-server, invisibly.

What the DKIM Record Actually Contains

A DKIM record is a specially formatted DNS TXT record that stores the public key used by receiving mail servers when verifying a message’s signature. It’s published in a domain’s DNS under a name that includes a selector — a label that identifies which key to use, since a domain can have multiple DKIM keys active at once.

A typical DKIM record looks something like:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA…

Where v=DKIM1 identifies the version, k=rsa specifies the encryption algorithm, and p= is the actual public key. The selector functions as a subdomain that differentiates multiple DKIM keys within the same domain — allowing different systems or services to maintain their own unique authentication keys.

So an organisation might have one DKIM key for its transactional email platform and a separate one for its marketing ESP, each with a different selector.

DKIM vs. SPF: What’s the Difference?

Both DKIM and SPF are email authentication methods, but they check different things.

SPF verifies the sending IP — it confirms that the server sending the email is on an approved list for that domain. DKIM, on the other hand, verifies that the data included in the signature was not changed in transit — it authenticates content integrity, not just the sending source.

SPF can be defeated by email forwarding, which changes the sending IP. DKIM survives forwarding better because it’s tied to the message content itself — not to where it was sent from. This is one reason why having both, rather than relying on either alone, gives much stronger coverage.

Why DKIM Matters for Email Marketers

If you want to build a good, long-term reputation with internet service providers and make sure your emails appear legitimate to recipients, you’ll benefit from implementing DKIM. Having emails signed with DKIM confirms your legitimacy and trustworthiness as a sender, which helps deliver your messages to a recipient’s inbox rather than to their junk or spam folders.

Since April 2024, Gmail and Yahoo have required DKIM (alongside SPF and DMARC) for bulk senders sending more than 5,000 emails per day. Without it, those campaigns face higher rates of filtering and blocking. Beyond compliance, consistent DKIM signing builds domain reputation over time — one of the longer-term signals that inbox providers use to determine whether your emails belong in the inbox.

DKIM also works as a prerequisite for DMARC. DMARC extends both SPF and DKIM — it allows the domain owner to publish a policy in their DNS records specifying how to check the From address and what to do with failures. Without DKIM in place, DMARC’s enforcement options are significantly weakened.

Key Takeaways

  • A DKIM record is a DNS TXT entry that stores a public cryptographic key, used by receiving mail servers to verify that an email was genuinely sent from the claimed domain and wasn’t altered in transit.
  • It works via a public/private key pair: the sender signs outgoing emails with a private key; receiving servers verify the signature using the public key stored in DNS.
  • The selector within a DKIM record allows a domain to maintain multiple active DKIM keys — useful when using different platforms or services to send email.
  • DKIM verifies content integrity; SPF verifies sending source — they’re complementary, not interchangeable, and most robust email programmes use both.
  • Since 2024, Gmail and Yahoo require DKIM for bulk senders, making it a baseline requirement for inbox deliverability rather than an optional security measure.
Article by:
Author photo
Emily Austin
Emily is a content manager who has dipped her toes in almost all fields of marketing, including email marketing, PR, social media, and ecommerce. She’s also no stranger to testing out marketing tools, always keen to find out whether they truly deliver or are just full of big promises. She loves perfecting digital content, ensuring everything is polished and ready to go live.
Simple email marketing with affordable pricing
  • Premium features included
  • No hidden costs or usage limits
  • Scale from startup to enterprise
Start With Free Plan Compare Plans
Join over 180,000 companies using Sender
Simple email builder illustration