What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication protocol defined in RFC 6376. It uses public-key cryptography to sign outgoing email, allowing receiving servers to verify message integrity and sender authenticity.

How DKIM works

The sending mail server signs each outgoing email with a private key, adding a DKIM-Signature header to the message. The corresponding public key is published in DNS at a subdomain like selector._domainkey.example.com.

When a receiving server gets the email, it retrieves the public key from DNS and verifies the signature. A valid signature proves:

  • The email was sent by a server with access to the private key
  • The signed headers and body were not modified after signing

Why DKIM matters

While SPF validates the sending server’s IP address, DKIM validates the message itself. This means DKIM works even when email is forwarded (which breaks SPF) and protects against message tampering in transit.

DKIM also provides the basis for DMARC alignment - DMARC can verify that the DKIM signing domain matches the visible From address, closing the gap that SPF alone leaves open.

SurfaceLoop verifies DKIM configuration across your domains by checking for published DKIM records and validating their format.

Map your attack surface - first scan free