What is DKIM-Signature header (mention, to link to later section)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

The DKIM-Signature header is the line in an email's technical headers that proves the message came from who it says it came from and hasn't been tampered with. It's part of DKIM (DomainKeys Identified Mail), one of three core authentication methods that keep email from being spoofed.

Here's what's actually in that header: a cryptographic signature that covers the message body and specific headers (like From and Subject), the domain that signed it, which selector to use for the public key lookup, and a timestamp. When a receiving server gets your email, it looks up your public key in DNS, applies it to the signature, and checks if everything matches. If it does, the signature passes. If the message was altered in transit, the signature breaks.

Think of it like a wax seal on a captain's letter. The receiving port checks the seal against the official design registered in their records (that's DNS) to confirm it's authentic and unopened. But unlike a wax seal, the DKIM signature can't be reused or forged because it's mathematically tied to the exact content of the message.

You won't configure this header yourself. Your ESP or mail server generates it automatically when DKIM is set up. What you DO configure is the DNS record that holds the public key. If you're seeing DKIM failures, it's usually because the DNS record is missing, expired, or doesn't match what the signature expects.

Want to see what your DKIM-Signature header actually looks like? Open any email you've received (in Gmail, Outlook, or your client of choice), view the full headers, and look for the line that starts with DKIM-Signature:. Or paste the raw source into our free Email Header Analyzer and we'll decode it for you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get AI help for your DKIM setup

I read this on the Email Almanac about DKIM-Signature headers: "The DKIM-Signature header is the line in an email's technical headers that proves the message came from who it says it came from and hasn't been tampered with. It contains a cryptographic signature covering the message body and specific headers." Help me understand how this applies to MY specific situation. I need: 1. Whether my DKIM signature is working (and how to check) 2. What to do if DKIM is failing for my domain 3. Whether I need to configure the header myself or if my ESP handles it 4. How to read a DKIM-Signature header in my own emails --- My details (the more you share, the better the advice): - Email platform/ESP: e.g. Mailchimp, SendGrid, custom SMTP, Postmark - Sending domain: your domain - Current issue: [e.g. DKIM failures in reports, setting up for first time, migrating ESPs] - Experience level: beginner / intermediate / advanced - What you're sending: newsletters, transactional, both

Edit the yellow boxes, then send to the AI of your choice.