How Does a DKIM Record Work? | EasyDMARC

How Does a DKIM Record Work?

7 Min Read
Image of a key with number and lettter combinations on it, EasyDMARC logo on the left side

So you want to know what a DKIM record is and how it works? DKIM is short for “DomainKeys identified Mail,” an email authentication protocol commonly used to place a unique digital signature on any email sent from your servers. This signature authenticates your email, letting receiving servers know the message originates from your domain and wasn’t tampered with during transit. 

We live in a time when cybercrime is a common occurrence. DKIM is one part of the most solid defense system you can get for your domain: DMARC. DKIM works with SPF (Sender Policy Framework) to authenticate emails sent on your domain’s behalf and prevent spoofing and phishing attacks. 

By implementing DKIM, you’re protecting your company and the status of your brand.

Before setting it up, it’s essential to understand how DKIM works. This protocol focuses on two central aspects: The DKIM record published in a domain’s DNS (domain name system) records and the DKIM header in all emails. 

This blog post discusses how DKIM works and all its moving parts that make your messages more secure.

What is Public Key Cryptography?

To learn how DKIM works, you must first understand the meaning of public key cryptography. As the name implies, this internet security feature encrypts or signs data with a pair of cryptographic keys, one public and one private. 

It’s also known as asymmetric encryption and is often used with transport layer security (TLS) and secure socket layer (SSL) certificates, which make HTTPS possible.  

Public key cryptography works with a pair of keys associated with an entity that has to verify its identity in a virtual environment. You can also use it to sign and encrypt data before sending it through the web. Public keys are meant to be published, while private keys are only known to a domain administrator. 

Public key cryptography enables encryption and decryption of data. This process allows two communicating parties to keep data safe as it’s sent back and forth. 

The encryption placed in the data can only be scrambled with the keys used by the data holders, making it indecipherable while in mid-transit to anyone looking to tamper with it. This prevents your data from being altered and proves to recipient servers that your email comes from an authentic source.

The Two Keys of DKIM

As you learn how DKIM works, you’ll discover that it needs two keys to work its magic. The first is a private key used to generate a digital signature by encrypting data contained in the DKIM header of an email.  

The second is a public key that’s retrieved by recipient servers to verify an email. It’s contained in the DKIM record of your domain’s DNS. 

Each time you send an email from your domain, the receiving server retrieves the public key in your domain’s DKIM record. It then uses the public key to verify the DKIM signature in the email’s DKIM header. 

If the public key matches the encrypted digital signature, the email passes DKIM verification. If not, DKIM verification fails. The receiving server also checks whether any data in the email headers or message body was altered in transit. If not, DKIM verification passes. If data was changed, the recipient server rejects the email.

What’s the Role of a DKIM Record?

Before we answer the above question, let’s answer this: What is a DKIM record? Put simply, it’s a type of DNS TXT record published in your domain’s DNS and publically available to email service providers (ESPs).

DKIM records play a significant role in the validation of your digital signature. The signature itself is created by a hash using various components from the message contained in any email. 

Your DKIM records hold your domain’s public key, which ESPs use to compare with the private key that generates an email’s digital signature. 

Every email sent with a DKIM signature includes a DKIM header with encrypted data. Your domain is always hosted in a DNS server, which holds the DKIM record as a TXT entry. All your recipients must be able to locate this TXT record using a selector, which indicates where your domain’s public key is located. 

Creating a DKIM record and publishing it in your domain’s DNS can help you look more legitimate in the eyes of your clients and business partners. With DKIM, it’s much harder for bad actors to spoof your email domain

DKIM also enhances your domain’s reputation thanks to low spam flagging rates and higher deliverability rates.

DKIM also ensures that your emails haven’t tampered with mid-traffic. This is a point of contention with most ESPs. 

Most of these services use TLS to encrypt messages and move them from one server to another. Still, TLS can be refuted by email servers in general, making your messages vulnerable and open to modification. DKIM keeps them safe and guarded against such events.

What’s the Role of the DKIM Header?

As we mentioned, DKIM creates a digital signature by encrypting or ‘signing’ data in the mail’s DKIM header. This header plays a crucial role in keeping your communications safe. Remember, DKIM headers remain attached to your email once created. 

These headers are usually visually distinctive to end users if they view them.

DKIM headers are composed of a series of tags defining a specific action to validate or protect the content of your emails. To test whether DKIM is working, you need to understand the value of these tags and the function they fulfill in the header. The following is an example of a DKIM header:

v=1; a=rsa-sha256;; s=big-email;




The role of each tag in this header handles the following:

  • v= shows the version of DKIM being used.
  • d= is the domain name of the sender.
  • s= is the selector that has to be checked by the receiving sender to look up the DNS SPF record.
  • h= is used to list the header field to create the email’s digital signature. In this particular case, the elements being used in this header, which are “from,” “to,” and “subject.”
  • bh= this is the hash of the email body used by the receiving server to compute the signature before the complete message loads.
  • a= is the algorithm used to compute the digital signature contained in the email. In this case, the algorithm is RSA-SHA 256.
  • b= is the digital signature generated from the tags “h” and “bh” and signed with the private key on your domain’s DNS.


You should have a good idea about how DKIM signing works. A DKIM record may look pretty complex for end users, but it’s pretty easy to configure by specialists. If you need help setting up your DKIM record, look no further than EasyDMARC. We can teach you how DKIM works in Office 365 and other email service providers.

If you’re not sure about the status of your DKIM records, you can always use EasyDMARC’s free DKIM lookup tool to check if your website is up to speed with this security requirement. 

If you don’t have a DKIM record, you can use our free DKIM generator to get a custom-made TXT file for your website. We can help with the configuration process required for your DNS. Get in contact with us today.

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us