What is a digital signature?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A digital signature is cryptographic proof that an email wasn't tampered with after the sender signed it. It works like a fingerprint that only the legitimate sender could have created. If someone changes even one character of a signed email (the subject line, a word in the body, an attachment), the signature breaks.

In email, digital signatures are how DKIM works. Your mail server uses a private key (kept secret on your server) to sign outgoing messages. The signature is added as a header. Receiving servers check the signature using your public key, which you publish in DNS. If the signature validates, the receiver knows two things: the message really came from your domain, and nobody changed it in transit.

Here's what gets signed: usually the From header, the To header, the Subject line, the Date, and the message body (or parts of it). Not every header gets signed, which is why spammers can still spoof the Reply-To field or add misleading X-headers. But the critical parts (who sent it, what they said) are locked in.

Why this matters: without digital signatures, anyone can send email claiming to be from your domain. With DKIM in place, mailbox providers like Gmail and Outlook can verify that your messages are legitimate. DKIM alone won't get you into the inbox (you still need good sender reputation), but without it, you're starting from a trust deficit. Most ESPs handle DKIM signing automatically. Mailchimp, SendGrid, Postmark, and others will sign on your behalf once you authenticate your domain. If you're running your own mail server or using a custom SMTP setup, you'll need to configure DKIM manually (which means generating a key pair, publishing the public key in DNS, and configuring your server to sign outgoing mail).

You can verify your DKIM setup is working with our free DKIM checker. Send a test email and check the headers to see if the signature validates. If it doesn't, that's usually a DNS publishing issue or a key mismatch.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get DKIM help for your setup

I read this on the Email Almanac about digital signatures and DKIM: "A digital signature is cryptographic proof that an email wasn't tampered with after the sender signed it. In email, DKIM uses a private key to sign outgoing messages. Receiving servers check the signature using your public key published in DNS." Help me understand how this applies to MY email setup: 1. Check my current DKIM status: Is my domain signing emails? Is the signature validating? 2. Diagnose issues: If DKIM is failing, what's the most likely cause (DNS publishing, key mismatch, selector name)? 3. ESP-specific setup: How do I enable or verify DKIM for my platform (Mailchimp, SendGrid, custom SMTP, etc.)? 4. Advanced scenarios: Should I use multiple DKIM selectors? What if I send from subdomains? My details: - Email platform/ESP: e.g. Mailchimp, SendGrid, Postmark, custom SMTP - Domain(s): your sending domain(s) - Sending volume: e.g. 5,000/month - Experience level: beginner / intermediate / advanced - Current challenge: what prompted this question

Edit the yellow boxes, then send to the AI of your choice.