SPF tells receiving servers who is allowed to send mail for your domain. DKIM does something different — and complementary. It proves that the message hasn't been altered in transit.

This Week’s Lesson

DKIM stands for DomainKeys Identified Mail. When your mail server sends a message, it adds a cryptographic signature to the email headers. The receiving server then looks up a public key in your DNS and uses it to verify the signature.

If the signature checks out, DKIM passes. If the message was modified in transit — even by a single character — the signature fails. This protects against man-in-the-middle attacks where an attacker intercepts and modifies your email.

A DKIM record also lives in DNS, but at a special subdomain like: selector._domainkey.yourcompany.com

The 'selector' part lets you have multiple DKIM keys — useful when different services send email for you and each one needs its own key.

SPF and DKIM work as a team. SPF checks the sending server. DKIM checks message integrity. Together, they give receiving servers two separate ways to verify your email is legitimate.

Important note: DKIM alone doesn't prevent someone from spoofing your From address. That's where DMARC comes in — which we'll cover next week.