What is DKIM?

How DKIM works

DKIM (DomainKeys Identified Mail) uses public-key cryptography. Your sending server signs each outgoing message with a private key. The corresponding public key is published in your DNS as a TXT record. Receiving servers retrieve the public key and verify the signature.

Unlike SPF, DKIM survives email forwarding because it signs the message content — not the sending server's IP address.

What DKIM selectors are

A selector is a label that identifies which public key to use. A domain can have multiple selectors — one per email provider or signing configuration.

The selector appears in the DKIM-Signature header of the email and determines the DNS name used for the public key lookup. For example, a selector named 'google' results in a lookup for google._domainkey.yourdomain.com.

What a DKIM DNS record looks like

A DKIM public key is published as a TXT record at <selector>._domainkey.<domain>. A typical record looks like: v=DKIM1; k=rsa; p=MIGfMA0GCSqG...

v=DKIM1 identifies the record version. k=rsa specifies the key algorithm (rsa or ed25519). p= contains the base64-encoded public key.

Common DKIM problems

Missing record. The selector does not exist in DNS. Common after migrating email providers without updating DNS.

Revoked key. An empty p= tag signals that the key has been revoked — receiving servers will reject the signature.

Test mode. The t=y flag indicates the key is in test mode and receivers may choose to ignore the signature.

Weak key. RSA keys shorter than 1024 bits are considered cryptographically insecure.

How to check a DKIM record

DKIM checking requires knowing your selector. You can find it in the DKIM-Signature header of any email sent from your domain.

Use MXFend's free DKIM Checker to validate the record once you have the selector. The checker verifies the record exists, the key is not revoked, and there are no configuration warnings.