What is RFC 6376 (DKIM)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you've ever wondered why some emails look trustworthy to Gmail and Outlook while others get routed straight to spam, DKIM is a big part of the answer.

RFC 6376 is the technical specification that defines DomainKeys Identified Mail (DKIM). In plain terms, DKIM lets your mail server attach a cryptographic signature to every outgoing email. The receiving mail server then checks that signature against a public key you've published in your DNS records to confirm two things: the email genuinely came from your domain, and nothing was tampered with in transit.

Think of it as a wax seal on a letter. Anyone can see the seal. If the seal is broken (or missing), the recipient knows something went wrong before it arrived.

Why does this matter for your deliverability? Mailbox providers use DKIM as a reputation signal. A valid DKIM signature tells them your domain has a real identity they can track over time. Without it, your emails look anonymous, and anonymous senders don't get the benefit of the doubt. It's also a hard requirement for DMARC to work properly, since DMARC uses DKIM (and SPF) to decide what to do with emails that fail authentication.

Most ESPs set up DKIM for you automatically, but they often sign with their own domain rather than yours. That's fine to start, but aligning your DKIM signature with your sending domain is the stronger setup and the one deliverability experts recommend.

You can verify your DKIM record is in place and correctly formatted using our free DKIM Record Lookup. If something looks off, or you're not sure whether your ESP is signing with your domain or theirs, our SOS hotline is a free place to get a second opinion.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my DKIM setup

I send email from my domain and want to know if my DKIM setup is correct. Based on my sending domain, ESP, and current DNS records, tell me: (1) whether my DKIM signature is aligned with my own domain or my ESP's domain, (2) what risks I'm taking if DKIM is missing or misaligned, and (3) what I should fix first to strengthen my authentication setup.

Edit the yellow boxes, then send to the AI of your choice.