Skip to main content
Vantyris

Email

DKIM: the cryptographic signature that completes your email authentication trio.

Published 2026-04-29 · Last updated 2026-04-29 · Vantyris editorial

DKIM (DomainKeys Identified Mail) is the third leg of modern email authentication, alongside SPF and DMARC. Where SPF says 'these servers are allowed to send for me' and DMARC says 'what to do when SPF/DKIM fails', DKIM adds a cryptographic signature to every outgoing email that receiving servers can verify against a public key in your DNS. Without it, your DMARC enforcement is half-strength. Most email providers (Google Workspace, Microsoft 365, Mailgun, SendGrid) set up DKIM automatically; the failure mode is usually 'I didn't realise I had to enable it'.

What this means for your business

How to fix

In your email provider's admin console, enable DKIM signing. Copy the public key it generates and publish it as a TXT record at the `<selector>._domainkey.<yourdomain>` host.

  1. Locate the DKIM setting in your email provider. Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email → Generate new record. Microsoft 365: Security & Compliance Center → Threat management → Policy → DKIM. Mailgun / Postmark / SendGrid: in your sending-domain setup, they show you the DKIM record on the verification page.
  2. Publish the TXT record. Your provider gives you a host (e.g., `google._domainkey` or `selector1._domainkey`) and a value (the public key, often 1000+ characters). At your DNS provider, add a TXT record at that host with that value. Some DNS panels chunk long values into 255-char strings; that's normal and works.
  3. Enable signing in the email provider's UI. After the DNS record is live, return to the email provider and click 'Start authentication' or 'Enable DKIM'. The provider verifies the public key matches what it expects and starts signing outgoing mail.
  4. Test by sending yourself an email. Send a test message from your domain to a Gmail account you control. Open the message, click the three-dot menu → Show original. Look for `dkim=pass` in the headers. If it says `dkim=fail` or absent, the public key didn't match.

Owner: Your email administrator (typically the same person who set up your inbox). · Time: 20 minutes once you've found the right setting.

Common gotchas

How to verify the fix

Vantyris's verified scan checks for DKIM-Signature support against the published TXT records. Or send a test email to dkimvalidator.com (free) which checks the signature in detail.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Do I need DKIM if I already have SPF + DMARC?

Yes. SPF breaks on forwarded mail (mailing lists, redirect rules). DKIM survives forwarding because the signature is in the message itself. Without DKIM, your DMARC enforcement misses any mail that crosses a forwarder, which is much more common than it sounds.

What's a DKIM selector?

A label that lets you have multiple DKIM keys for the same domain. The selector appears in the DKIM-Signature header and tells receivers which public key to fetch. Common pattern: `default`, `google`, `selector1`, `s1`. Pick any string; it just has to match the DNS host you publish the public key at.

Can I sign with multiple selectors at once?

Yes — useful during key rotation (publish the new selector, wait for it to propagate, switch the signing service to the new key, retire the old selector). Most providers don't expose this directly; you'd need access to the SMTP-layer config.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0