DKIM: the cryptographic signature that completes your email authentication trio.
Published 2026-04-29 · Last updated 2026-04-29 · Vantyris editorial
DKIM (DomainKeys Identified Mail) is the third leg of modern email authentication, alongside SPF and DMARC. Where SPF says 'these servers are allowed to send for me' and DMARC says 'what to do when SPF/DKIM fails', DKIM adds a cryptographic signature to every outgoing email that receiving servers can verify against a public key in your DNS. Without it, your DMARC enforcement is half-strength. Most email providers (Google Workspace, Microsoft 365, Mailgun, SendGrid) set up DKIM automatically; the failure mode is usually 'I didn't realise I had to enable it'.
What this means for your business
- Every outgoing email gets a DKIM-Signature header added by your sending server. That header contains a hash of the email body + selected headers, signed with the private key only your sending server holds.
- The receiving server reads the DKIM-Signature header, fetches the matching public key from your domain's DNS (at `<selector>._domainkey.<yourdomain>`), and verifies the signature. If it matches, the email is cryptographically proven to be from you and unmodified in transit.
- DMARC's 'alignment' check requires either SPF or DKIM to pass with the From-header domain. Adding DKIM means even mail forwarded through an intermediary (where SPF often breaks) still passes DMARC because the DKIM signature survives forwarding.
How to fix
In your email provider's admin console, enable DKIM signing. Copy the public key it generates and publish it as a TXT record at the `<selector>._domainkey.<yourdomain>` host.
- Locate the DKIM setting in your email provider. Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email → Generate new record. Microsoft 365: Security & Compliance Center → Threat management → Policy → DKIM. Mailgun / Postmark / SendGrid: in your sending-domain setup, they show you the DKIM record on the verification page.
- Publish the TXT record. Your provider gives you a host (e.g., `google._domainkey` or `selector1._domainkey`) and a value (the public key, often 1000+ characters). At your DNS provider, add a TXT record at that host with that value. Some DNS panels chunk long values into 255-char strings; that's normal and works.
- Enable signing in the email provider's UI. After the DNS record is live, return to the email provider and click 'Start authentication' or 'Enable DKIM'. The provider verifies the public key matches what it expects and starts signing outgoing mail.
- Test by sending yourself an email. Send a test message from your domain to a Gmail account you control. Open the message, click the three-dot menu → Show original. Look for `dkim=pass` in the headers. If it says `dkim=fail` or absent, the public key didn't match.
Owner: Your email administrator (typically the same person who set up your inbox). · Time: 20 minutes once you've found the right setting.
Common gotchas
- DKIM keys are typically 2048-bit RSA. If your DNS provider rejects long TXT values, use a provider that supports them; or split using DKIM2 / Ed25519 keys (smaller but newer).
- If you use multiple senders (Google Workspace for staff + Mailgun for transactional + Mailchimp for newsletters), each one needs its own DKIM selector. Don't reuse a key across providers.
- Rotating DKIM keys annually is best practice but few SMEs bother. Modern guidance is 12-month rotation; we won't push back if you do it every 24 months.
- DKIM doesn't encrypt mail content; it only signs it. Anyone in transit can still read the message. TLS at the transport layer (which your provider does) handles encryption.
How to verify the fix
Vantyris's verified scan checks for DKIM-Signature support against the published TXT records. Or send a test email to dkimvalidator.com (free) which checks the signature in detail.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A1. Firewalls — boundary protection between the internet and your services.
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Do I need DKIM if I already have SPF + DMARC?
Yes. SPF breaks on forwarded mail (mailing lists, redirect rules). DKIM survives forwarding because the signature is in the message itself. Without DKIM, your DMARC enforcement misses any mail that crosses a forwarder, which is much more common than it sounds.
What's a DKIM selector?
A label that lets you have multiple DKIM keys for the same domain. The selector appears in the DKIM-Signature header and tells receivers which public key to fetch. Common pattern: `default`, `google`, `selector1`, `s1`. Pick any string; it just has to match the DNS host you publish the public key at.
Can I sign with multiple selectors at once?
Yes — useful during key rotation (publish the new selector, wait for it to propagate, switch the signing service to the new key, retire the old selector). Most providers don't expose this directly; you'd need access to the SMTP-layer config.
References
- RFC 6376 — DKIM IETF RFC
- NCSC: email authentication NCSC
- Google Workspace: enable DKIM Vendor
Related explainers
- What is DMARC, and why every business with a domain needs one.
- SPF records, explained: the first line of defence against email spoofing.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0