What is a DKIM signature?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Every email you send has a hidden stamp of authenticity attached to it. That stamp is the DKIM signature, and it's how receiving mail servers confirm that your message wasn't tampered with and actually came from your domain.
DomainKeys Identified Mail (DKIM) works by adding a special header called DKIM-Signature to every outgoing message. Inside that header, you'll find:
- The signing domain (
d=tag) - Which headers were signed
- A hash of the message body
- The cryptographic signature itself
When a receiving mail server gets your email, it looks up your public key in DNS and uses it to verify the signature. If it checks out, the message passed DKIM. If the signature is missing or broken, the message fails the check.
A missing DKIM signature doesn't automatically send email to spam. But it does mean the receiving server has no cryptographic proof that the message is legitimate. That matters when you're trying to build a trustworthy sending reputation. Combined with SPF and DMARC, DKIM forms the authentication trio that mailbox providers rely on to trust your email.
You can verify your DKIM setup in seconds with our free DKIM checker. If you're not sure what you're looking at in the results, check out our guide on setting up DKIM.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.