What is DKIM signing at MTA level?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DKIM signing at the MTA level means the mail server itself adds a cryptographic signature to every outgoing email before it leaves your infrastructure. If you're using an ESP, they handle this for you. If you run your own mail server, this is something you configure directly.

Here's how it works: when your MTA sends a message, it takes a hash of certain headers (From, Subject, Date, etc.) and the message body, then encrypts that hash with a private key you keep secret. The resulting signature goes into a DKIM-Signature header on the message. The receiving server looks up your public key in DNS using the domain and selector specified in that header, decrypts the hash, and checks it against the message. If they match, the message hasn't been tampered with since it left your server.

DKIM is like a wax seal on a letter. The sender applies it. The recipient checks if it's genuine. If anything in the message changes after signing (even a line break added by a mail relay), the verification fails.

The MTA-level configuration involves a few things: generating a public/private key pair, publishing the public key in your DNS as a TXT record, and configuring the MTA to sign outgoing messages with the private key using a named selector. The selector lets you rotate keys over time without disrupting delivery. You just add a new selector to DNS and update the MTA config.

Common problems: signing headers that get modified by relays (breaking the signature), expired DNS records, private key mismatches after server migrations, and selectors that don't match what's in the DNS. Our free Review My Emails DKIM checker can verify your signing is working from the outside, which is the perspective that matters. You can also set up DKIM step by step with our full guide.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me set up DKIM signing

I'm setting up or troubleshooting DKIM signing on my mail server. Here's my situation: - MTA software: Postfix / Exim / OpenDKIM / other - Whether I've generated a key pair: yes / no - Whether my public key is in DNS: yes / no / not sure - My DKIM selector name: name if set up - Whether signing is working (how I checked): describe - Specific error I'm seeing: if any Help me verify my DKIM setup is correct and identify what to fix if it's not.

Edit the yellow boxes, then send to the AI of your choice.