Resourcesarrow right
Inbox Warm-Up Agentarrow right
DKIM

DKIM

Understand how DKIM (DomainKeys Identified Mail) works and how to configure it so mailbox providers can verify that your messages are authentic.

DKIM (DomainKeys Identified Mail)

DKIM is a digital signature added to your emails so inbox providers can verify that the message really comes from your domain and was not changed in transit.

What it is

DKIM is a security check that uses a digital signature in your email header and a special DNS record on your domain to prove that you are the real sender.

Why it matters for deliverability

When DKIM is set up correctly, inbox providers like Gmail and Outlook trust your emails more, which helps them land in the inbox instead of spam.

How it works

Your email system signs each outgoing email with a private key. Receiving servers look up your DKIM record in DNS (public key) and verify the signature. If it matches, they know the email is authentic and not altered.

Example DKIM DNS record

Here is a simple example DKIM TXT record for selector `mail` on domain `example.com`:

Host/Name: mail._domainkey.example.com

Type: TXT

Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A... (public key)

Common problems
  • DKIM record added on the wrong hostname (for example, `example.com` instead of `selector._domainkey.example.com`).
  • Extra spaces, missing quotes, or line breaks in the DKIM TXT record.
  • Using an old DKIM selector that no longer exists or was rotated.
  • Your sending service signs with a selector that does not match the record in DNS.
  • Multiple TXT records on the same host causing the DKIM record to be split or unreadable.
How to improve
  • Copy the DKIM record exactly as provided by your email service (such as Mailgun, SendGrid, or Amazon SES).
  • Make sure the DKIM host name includes the selector, for example `mail._domainkey.yourdomain.com`.
  • Use DNS lookup tools to confirm your DKIM record is visible and not truncated.
  • Rotate DKIM keys periodically if your provider supports it, especially after account changes.
  • Ensure all tools and apps sending emails on your behalf are configured to sign with DKIM.
Best practices
  • Enable DKIM for every domain that sends email, including subdomains like `news.example.com`.
  • Use one DKIM selector per sending platform (for example, `mail` for your main ESP, `notify` for your app).
  • Avoid editing DKIM keys manually; use copy–paste from your provider’s dashboard.
  • After changes, send a test email to major inboxes and check the message headers for `DKIM=pass`.
  • Keep a record of which DKIM selectors are in use and by which service so you can safely remove unused ones.