What is DKIM-Signature header (mention, to link to later section)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
The DKIM-Signature header is the line in an email's technical headers that proves the message came from who it says it came from and hasn't been tampered with. It's part of DKIM (DomainKeys Identified Mail), one of three core authentication methods that keep email from being spoofed.
Here's what's actually in that header: a cryptographic signature that covers the message body and specific headers (like From and Subject), the domain that signed it, which selector to use for the public key lookup, and a timestamp. When a receiving server gets your email, it looks up your public key in DNS, applies it to the signature, and checks if everything matches. If it does, the signature passes. If the message was altered in transit, the signature breaks.
Think of it like a wax seal on a captain's letter. The receiving port checks the seal against the official design registered in their records (that's DNS) to confirm it's authentic and unopened. But unlike a wax seal, the DKIM signature can't be reused or forged because it's mathematically tied to the exact content of the message.
You won't configure this header yourself. Your ESP or mail server generates it automatically when DKIM is set up. What you DO configure is the DNS record that holds the public key. If you're seeing DKIM failures, it's usually because the DNS record is missing, expired, or doesn't match what the signature expects.
Want to see what your DKIM-Signature header actually looks like? Open any email you've received (in Gmail, Outlook, or your client of choice), view the full headers, and look for the line that starts with DKIM-Signature:. Or paste the raw source into our free Email Header Analyzer and we'll decode it for you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.