Cryptographically sign outgoing email so receivers can verify it wasn't tampered with in transit.
⚡ Monitored by EmailExacto IntelligenceDKIM uses public-key cryptography to sign outgoing messages. The sending server attaches a digital signature to each email's headers; receivers verify the signature using a public key in DNS. If the message was modified in transit, the signature verification fails.
Defined in RFC 6376, DKIM is one of three core authentication standards alongside SPF and DMARC.
A key pair is generated — private key (signs outgoing mail), public key (published in DNS). Every outgoing message receives a DKIM-Signature header with a signed hash of selected headers and body content.
The selector appears in the DKIM-Signature header, allowing multiple keys to coexist — one per ESP or signing source. Receivers look up the public key by selector and verify the signature.
DKIM proves your domain authorised the message and the content wasn't changed after signing. For DMARC alignment, DKIM is often more reliable than SPF because it survives email forwarding — SPF breaks when forwarded through third-party servers.
EmailExacto automatically probes for DKIM selectors across 9 common names for every monitored domain.
✓Use 2048-bit RSA keys or Ed25519 for stronger cryptographic security.
✓Configure DKIM for every sending source — each needs its own key.
✓Rotate DKIM keys annually or on suspected compromise.
✓Use a unique selector per key so you can rotate one independently.
✓Verify DKIM is signing before sending — check the DKIM-Signature header of a test message.
✓Keep your private key secure — compromise allows forgery of signed email from your domain.
Expert-written training delivered to your inbox every Tuesday. No spam. Unsubscribe anytime.
Join thousands of senders building better email habits.