Set up DMARC and see who's sending email using your brand's domain.

DKIM (DomainKeys Identified Mail), explained

DKIM (DomainKeys Identified Mail) is an email authentication method that uses public-key cryptography to sign emails and verify that the message body and attachments were not altered in transit.

Spammers and hackers might try to intercept your messages and send malicious emails on behalf of your domain, which will damage your email security and overall domain reputation. And if a lot of people start receiving fraudulent messages that look like they’re coming from you, they will get annoyed and send them straight to the spam folder—so you might find yourself on a list of bad senders you should not have been on in the first place.

A tweet from an email deliverability expert that alerts about the importance of setting up DKIM and SPF to prevent spam.
This was true in 2017, it’s still very much true today

We wrote everything you need to know about DKIM below—but before you get started, how about a 4-minute video about DKIM featuring a bunch of very authentication-focused puppies?

Why you should implement DKIM #

If you want to build a good, long-term reputation with internet service providers (ISPs) and make sure that your emails appear legitimate to recipients, then you’ll benefit from implementing DKIM.

Having emails signed with DKIM confirms your legitimacy and trustworthiness as a sender, which helps deliver your messages to a recipient’s inbox rather than to their junk or spam folders. Over time, DKIM can have a positive impact on your domain reputation, improving your email deliverability

What is a DKIM record? #

A DKIM record is a specially formatted DNS TXT record that stores the public key to be used by receiving mail servers when verifying a message’s signature. A DKIM record might look something like this:



  • v=DKIM1 indicates the DKIM version
  • p indicates the the type of key (in this case, public)
  • The very long string that starts with MIGfMA0GC is the public key itself

The DKIM record is often made available by the provider that’s sending your email (like Postmark. That’s us 👋); you, as a domain owner, will then add it to the DNS records on the sending domain.

How DKIM works & what is it used for #

The short version: DKIM process works thanks to a private/public key pair, and requires two main actions. 

  • As your email is leaving the sender, a DKIM signature is added to the email and secured with encryption. The email gets signed with a private key in the shape of a unique ‘hash’ string of characters
  • Recipient servers then use the public key published to your domain’s DNS to check your DKIM signature on incoming messages. Once the signature is verified with the public key by the recipient, the message passes DKIM and is considered authentic—which means the source of the message has been verified, and the body wasn’t changed in transit.

The long version:

A flowchart visualizing the checks required for a DKIM pass

There are quite a few steps to the process, but they are definitely too much for this page 😉 If you are curious and ready to go down an extremely convoluted DKIM rabbit hole, we wrote a very detailed 3-chapter guide to explain how the whole thing records work.

Some frequently asked questions about DKIM

What’s the difference between SPF, DKIM, and DMARC?# #

DKIM, SPF, and DMARC are three email authentication systems that protect recipients from spammers, scammers, and spoofers pretending to be someone they are not and sending fraudulent mail.

  • SPF (Sender Policy Framework) is a domain-based way to determine what IPs are allowed to send email on somebody’s behalf

  • DKIM (Domain Keys Identified Mail) is a message-based signature that uses asymmetric cryptography to sign email and verify that a message was not altered in transit

  • DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on top of SPF and DKIM and instructs receivers to approve, quarantine, or reject email messages.

Is my email 100% safe with DKIM? #

The short answer is no: just because DKIM passes, doesn’t mean the message is above suspicion. The DKIM Signature also assigns a “responsible party” to the message. For example, Postmark uses its own domain to sign DKIM for every outgoing message, and receivers weigh Postmark’s reputation *heavily* when filtering mail.

Can I still send email without setting up DKIM? #

DKIM is compatible with existing email infrastructure and works with SPF and DMARC to create multiple layers of security for domains sending emails. Mail servers that don’t support DKIM signatures are still able to receive signed messages without any problems—it’s an optional security protocol, and DKIM is not a universally adopted standard.

This post was originally published Nov 23, 2022

Still have questions?

  • Abdullah Al-hennawy Abdullah
  • Anita Pericic Anita

Ask us anything! We’re eager to help you with any problem or question you have…

Contact us