What is DKIM? Email Authentication Explained

Learn how DKIM (DomainKeys Identified Mail) protects your emails from spoofing and improves deliverability. Complete guide with setup examples.

Updated December 20, 2025
8 min read

DKIM (DomainKeys Identified Mail) is an email authentication method that allows receiving mail servers to verify that an email was actually sent by the domain it claims to be from and that the message wasn't altered in transit.

Think of DKIM as a digital signature for your emails—like a wax seal on a letter that proves it's authentic and hasn't been tampered with.

How DKIM Works

DKIM uses cryptographic authentication to validate emails. Here's the process:

1. The Sending Server Signs the Email

When you send an email, your email server adds a DKIM signature to the email header. This signature is created using a private key that only your server knows.

2. The Signature is Added to Headers

The DKIM signature includes a hash of specific email components (like the subject, body, and sender) and is added to the email headers as a "DKIM-Signature" field.

3. The Receiving Server Verifies

When the email arrives, the receiving server looks up your domain's public DKIM key in DNS, then uses it to verify the signature. If everything matches, the email passes DKIM authentication.

4. Delivery Decision

Passing DKIM verification improves your sender reputation and deliverability. Failing or missing DKIM may result in emails being flagged as suspicious or sent to spam.

Technical Detail

DKIM uses asymmetric cryptography (public/private key pairs). The private key stays secure on your mail server, while the public key is published in your DNS records for anyone to verify.

What Does a DKIM Record Look Like?

A DKIM record is a TXT record in your DNS that contains your public key. Here's an example:

Example DKIM DNS Record
default._domainkey.yourdomain.com  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKK68hawSJfliq9vKD6czJ..."

# Breaking down the components:
# v=DKIM1          -> DKIM version
# k=rsa            -> Key type (RSA encryption)
# p=MIGfMA0...     -> Public key (base64 encoded)

Selector Names

The "default" in default._domainkey is called a selector. You can use different selectors to rotate keys or separate different email streams (e.g., marketing, transactional).

Why DKIM Matters for Email Deliverability

Prevents Email Spoofing

DKIM makes it nearly impossible for spammers to forge emails from your domain. The cryptographic signature can't be replicated without your private key.

Improves Deliverability

Major email providers (Gmail, Outlook, Yahoo) use DKIM as a trust signal. Emails with valid DKIM signatures are more likely to reach the inbox.

Protects Brand Reputation

By preventing domain spoofing, DKIM protects your brand from being used in phishing attacks that could damage your reputation.

Enables DMARC

DKIM is a prerequisite for implementing DMARC, which provides even stronger email authentication and reporting capabilities.

Gmail & Yahoo Requirements

As of February 2024, Gmail and Yahoo require DKIM authentication for bulk senders (5,000+ emails/day). Even if you send less, implementing DKIM is considered a best practice.

What Does a DKIM Signature Look Like?

When you send an email, the DKIM signature is added to the email headers. Here's what it looks like:

DKIM-Signature Header Example
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourdomain.com; s=default;
  h=from:subject:date:message-id:to;
  bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
  b=GJwP3Qr8KqKKKNT5HL8j3fjXvLEm9KmZs6YdO2KqEqr...

# Key components:
# v=1                -> DKIM version
# d=yourdomain.com   -> Signing domain
# s=default          -> Selector (matches DNS record)
# h=from:subject...  -> Headers included in signature
# bh=frcCV1...       -> Hash of email body
# b=GJwP3Q...        -> The actual signature

How Plunk Simplifies DKIM

Setting up DKIM manually can be complex, but Plunk makes it automatic:

1

Automatic Key Generation

Plunk automatically generates secure DKIM key pairs for your domain when you add it to your account.

2

Simple DNS Setup

We provide the exact DNS records you need to add—just copy and paste into your DNS provider.

3

Automatic Signing

Every email you send through Plunk is automatically signed with DKIM. No configuration needed.

4

Verification & Monitoring

Plunk verifies your DKIM setup and monitors authentication status for all your emails.

Ready in Minutes

Most Plunk users have DKIM fully configured and working within 5-10 minutes. Our dashboard guides you through every step.

DKIM Best Practices

✓ Use 2048-bit Keys

While 1024-bit keys still work, 2048-bit keys provide better security and are recommended by Gmail and other providers.

✓ Implement SPF and DMARC Too

DKIM works best when combined with SPF and DMARC for comprehensive email authentication. Use all three for maximum protection.

✓ Monitor DKIM Status

Regularly check that your DKIM signatures are passing. Most email platforms provide authentication reports.

✓ Rotate Keys Periodically

For enhanced security, rotate your DKIM keys every 6-12 months. Plan key rotation carefully to avoid delivery disruptions.

✗ Don't Share Private Keys

Your DKIM private key should never be shared or stored insecurely. Treat it like a password.

✗ Don't Use the Same Key Across Domains

Each domain should have its own unique DKIM key pair for security and proper authentication.