How does DKIM signing work step-by-step?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

But Here's what happens inside your mail server every time it sends a DKIM-signed email:

Step 1: Canonicalization. The mail server takes the message headers and body you've selected to sign and normalizes them. "Canonicalization" is just the spec's word for "make it consistent before hashing." There are two modes: simple (changes nothing) and relaxed (cleans up whitespace and line endings). Most setups use relaxed/relaxed. This step matters because even minor variations in whitespace could change the hash.

Step 2: Hashing the body. The mail server runs the canonicalized message body through a hash function (typically SHA-256). This produces a fixed-length string called the body hash. It gets included in the DKIM-Signature header as bh=. The receiving server will compute its own body hash later and compare.

Step 3: Building the DKIM-Signature header. The mail server assembles the DKIM-Signature header with fields like d= (signing domain), s= (selector), bh= (body hash), and others. This header is then added to the list of signed headers.

Step 4: Signing with the private key. The server takes the signed headers (including the DKIM-Signature header itself, minus the b= field) and generates a cryptographic signature using the private key. The result gets written into the b= field of the DKIM-Signature header.

Step 5: Transmission. The complete message, with the DKIM-Signature header attached, goes out.

On the receiving end, the process runs in reverse: the server reads the selector, looks up the public key, verifies the signature, recomputes the body hash, and checks that everything matches. If it does, DKIM passes and the result feeds into DMARC evaluation.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a technical walkthrough for your specific DKIM signing issue.

I read this on the Email Almanac about how DKIM signing works step-by-step. My situation: I'm troubleshooting [describe: DKIM failures / authentication issues / suspicious DKIM-Signature headers in my emails]. My mail server is describe your ESP or server. My DKIM is signed using [describe: a CNAME provided by my ESP / a TXT record I set up manually]. What I want to understand: [describe, e.g., "why my DKIM signature is invalid despite having the right DNS record" or "what the bh= and b= values in my headers mean"].

Edit the yellow boxes, then send to the AI of your choice.