DKIM Authentication: How to Sign and Verify Your Emails

Master DKIM email authentication: understand how DKIM signatures work, how to set up DKIM records, and troubleshoot common DKIM validation issues.

DKIM Authentication: How to Sign and Verify Your Emails

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was actually sent by the claimed domain and hasn't been tampered with in transit.

How DKIM Works

DKIM adds a digital signature to email headers:

  1. Sending server signs email with private key
  2. Email header contains DKIM-Signature
  3. Receiving server retrieves public key from DNS
  4. Verification of signature using public key
  5. Result: Pass or Fail

DKIM Record Structure

DNS Record

selector._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

Components:

  • selector: Identifier (e.g., "google", "default")
  • v=DKIM1: DKIM version
  • k=rsa: Key type (RSA)
  • p=...: Public key (base64 encoded)

Email Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=selector;
  h=from:to:subject:date;
  bh=base64hash;
  b=signature

Setting Up DKIM

Step 1: Generate Key Pair

# Generate 2048-bit RSA key
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

Step 2: Configure Mail Server

Postfix + OpenDKIM:

# /etc/opendkim.conf
Domain example.com
Selector default
KeyFile /etc/opendkim/keys/default.private

Step 3: Publish DNS Record

Type: TXT
Name: default._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA...
TTL: 3600

Common DKIM Selectors

  • default: Generic selector
  • google: Google Workspace
  • k1, k2: Multiple keys (rotation)
  • s1, s2: SendGrid
  • m1: Mailchimp

Checking DKIM Records

Use MXToolbox.eu DKIM checker:

  1. Enter domain
  2. Enter selector (or try common ones)
  3. Tool fetches public key from DNS
  4. Validates record syntax
  5. Shows key details

Common DKIM Issues

1. Selector Not Found

Error:

DKIM record not found for selector 'default'

Solution: Try other selectors

  • google._domainkey
  • k1._domainkey
  • selector1._domainkey

2. Invalid Public Key

Problem: Syntax error in DNS record

v=DKIM1; k=rsa; p=INVALID-KEY

Solution: Re-generate and re-publish key

3. Key Too Short

Problem: Key < 1024 bits (insecure)

Solution: Use 2048-bit key minimum

openssl genrsa -out key.pem 2048

4. Multiple DKIM Records

Problem: Two+ TXT records for same selector

Solution: Only ONE record per selector

DKIM Best Practices

2048-bit keys - More secure
Rotate keys - Every 6-12 months
Multiple selectors - For key rotation
Sign all headers - Especially From, Subject, Date
Test thoroughly - Send test emails

DKIM vs SPF vs DMARC

Protocol Purpose How It Works
SPF Authorize sending IPs DNS TXT record
DKIM Sign email content Cryptographic signature
DMARC Policy enforcement SPF + DKIM alignment

Use all three for complete protection! 🛡️

Troubleshooting DKIM

Signature Verification Failed

  1. Check DNS record published correctly
  2. Verify selector matches email header
  3. Ensure public/private keys match
  4. Check for whitespace in DNS record

Headers Not Signed

Problem: Important headers excluded

Solution: Configure mail server to sign:

h=from:to:subject:date:message-id

DKIM for Email Services

Google Workspace

Selector: google._domainkey
Auto-configured by Google

Microsoft 365

Selector: selector1._domainkey, selector2._domainkey
Two selectors for key rotation

SendGrid

Selectors: s1._domainkey, s2._domainkey
Configure in SendGrid dashboard

Conclusion

DKIM is critical for:

  • Preventing email tampering
  • Improving deliverability
  • Building sender reputation
  • Passing DMARC alignment

Implement DKIM correctly to ensure your emails reach the inbox.

Check your DKIM configuration with our free DKIM checker.

Related Tools: