How does DKIM work?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DKIM uses a classic public/private key pair to prove that your email actually came from you and wasn't altered in transit. Here's the process:

Signing (outgoing): When you send an email, your mail server takes certain parts of the message (selected headers and the message body) and runs them through a cryptographic algorithm to produce a unique hash. It then encrypts that hash using your private key, a secret that never leaves your server. The resulting signature gets added to the email as a header: DKIM-Signature:.

Verification (incoming): When the recipient's server gets your message, it reads the DKIM-Signature header to find out which domain signed it and which selector was used. It does a DNS lookup to find your public key, which you've published as a TXT record. It then uses that public key to decrypt the signature back into the original hash, and computes a fresh hash from the message it received. If both hashes match, DKIM passes. If the message was modified after signing, the hashes won't match and DKIM fails.

The elegance of this approach is that the private key is never shared. Anyone can get your public key from DNS. But only someone with the private key can create a signature that verifies against that public key. That's what makes DKIM trustworthy as a proof of origin.

DKIM doesn't encrypt your message. It doesn't hide it from anyone. It just proves the message came from someone who controlled your domain's signing key and that the content wasn't changed afterward.

One important nuance: DKIM validates the signing domain (the d= tag in the signature), not necessarily the "From" address your recipient sees. For full protection, DMARC checks that the signing domain aligns with the visible From domain.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a technical walkthrough for your specific DKIM setup.

I read this on the Email Almanac about how DKIM works. My situation: I'm using describe your ESP or mail server. I want to understand [describe, e.g., "what private key my ESP is using to sign my messages" or "why my DKIM verification is failing despite having a record" or "what the DKIM-Signature header in my emails actually means"].

Edit the yellow boxes, then send to the AI of your choice.