3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

DKIM

A cryptographic signature attached to outbound email that proves the message was authorised by the domain owner and was not modified in transit.

Definition

DKIM (DomainKeys Identified Mail) is the email authentication protocol that attaches a cryptographic signature to outbound messages. Standardised as RFC 6376, DKIM lets a sending mail server sign each outgoing message with a private key, and receivers verify the signature against a corresponding public key the domain owner publishes in DNS. A valid DKIM signature proves two things: the message was authorised to leave under this domain, and the signed portions of the message (typically headers and body) were not modified between sending and receiving.

How it works

When a message is signed, the sending server computes a hash of selected headers (and optionally the body), encrypts that hash with its private key, and adds a DKIM-Signature header to the message. The signature header includes a d= tag (the signing domain) and an s= tag (the selector — an arbitrary label used to support multiple keys per domain). When a receiver gets the message, it reads the d= and s= values, queries DNS for the public key at <selector>._domainkey.<domain>, and verifies the signature.

DKIM provides the cryptographic backbone of DMARC alignment. Because the d= tag identifies a specific domain, receivers can check whether that domain matches (or is a subdomain of) the visible From: header — the alignment check that DMARC depends on. Most ESPs let customers either sign with their own domain (alignment passes) or with the ESP's domain (alignment fails). For DMARC enforcement to work, customer-domain signing is required.

Example

A DKIM public key published in DNS at s1._domainkey.example.com:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

The corresponding signature header on a signed message:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=s1; c=relaxed/relaxed; h=From:To:Subject:Date; bh=...; b=...

The receiver reads d=example.com; s=s1 from the header, fetches the public key at s1._domainkey.example.com, and verifies the signature in the b= tag against the hash of the headers listed in h=.

Related Terms

DMARC An email authentication policy framework that uses SPF and DKIM to detect and prevent doma... SPF A DNS-published list of IP addresses and hostnames authorised to send email on behalf of a... DKIM Selector An arbitrary label that lets a domain publish multiple DKIM keys at once, each at a separa... DMARC Alignment The check that requires the SPF or DKIM domain to match the visible From header domain in...

Try the tool

DMARC Busta has a free tool that helps with this concept directly.

Open tool

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial