What is a DKIM Record? | EasyDMARC

What is a DKIM Record?

5 Min Read
A text on a blue background

What is a DKIM record? That’s a question we see everywhere these days. Emails have become the primary communication between businesses, vendors, and associates. Unfortunately, emails aren’t 100% secure. 

They can be intercepted, spoofed, and modified by malicious online actors. With more companies looking to implement DMARC to protect their email infrastructure, it’s essential to understand the role DKIM plays in this system.

DMARC is an authentication standard that verifies your emails and lets your mailing list know every message sent from your domain is coming from you. This protocol works with SPF and DKIM. 

This blog post will show you everything you need to know about DKIM. We’ll study what a DKIM TXT record is, what a DKIM key is, and every relevant aspect of this security policy. Take a seat and enjoy this deep dive into DKIM.

What is DKIM?

When people ask what DKIM is, the briefest way to explain it is by calling it a digital signature. If you want a more technical explanation, you’ll find that DKIM stands for DomainKeys Identified Mail, and a DKIM record is a modified TXT record added to your domain’s DNS. 

The TXT record contains a public key used by receiving email servers to verify the digital signature in all your messages and make sure they come from your domain.

What are the DKIM Record Components?

When you add a DKIM record to your DNS, a series of components works to make sure they do the job of verifying your domain. Most of these elements are informal and represented by using tags. 

How does a DKIM record work?

The tags work as commands signalled by a single letter followed by an equal sign, such as “s=.” The value for each tag indicates information about the sender and the public key.

The structure of each DKIM record is based on proper syntax. A DKIM signature only works if it’s properly configured. A few tags are available to the sender; some are mandatory, while others are optional. 

A missing tag leads to verification errors with certain email providers. Tags with no value added to any record are taken as empty, while missing tags are taken out by default.

If your email service provider gives you DKIM records with backslashes before semicolons or double quotes around the record, you can remove them. 

These additional characters can mess with the syntax of your DKIM record. Your server’s name usually handles any extra quoting marks. As for any other characters, they’re automatically disregarded.

This example is how a working DKIM record should look:

v=1; a=rsa-sha286; 

d=example.com; s=big-email;






What is a DKIM Header?

Now that you know what a DKIM record is, we can discuss how a DKIM header works. Every time you generate a message, the sending server creates a digital signature using the header of your message, a hash of the email body, and the private key of your DNS. 

All these elements are combined to create a digital signature for your email, forming part of the DKIM header.

This DKIM signature is one of multiple headers attached to your message. ESPs rarely show headers when displaying emails unless receivers have a specific configuration for their inbox. 

Mailbox services such as Gmail let users view email senders just by clicking in the upper right section of any message and choosing the option to see the original message.

How to Check If Your DKIM is Valid?

You can always use EasyDMARC’s free DKIM lookup tool to check if your domain has any  DKIM records. Just make sure to input your selector name with your domain. That way, you’ll be able to retrieve your published DKIM records. 

Since domains can have multiple DKIM records for different public keys and senders, you must remember to use other selector names for each.

What Happens if DKIM Fails?

Once you create a DKIM record, you’re not exempt from mistakes. DKIM verification can still fail due to several reasons, such as:

  • Lack of alignment between the DKIM signature domain and sending domain
  • Incorrect syntaxes on the DKIM public record published in the DNS
  • The DNS zone can’t be reached for lookups by the sender’s domain
  • The length of the DKIM key used for digital signatures is too short. Modern keys should be 1024/2048-bit.

When DKIM alignment fails, email deliverability is affected. The most common reason is that the tag d=value in the header doesn’t match the value of the published DKIM signature. If that’s the case, the receiving server will send all your messages directly to the spam folder or block them.


If you’re running a business with a solid online presence, you know the importance of emails. Getting a secure domain needs to be a priority. Your clients and business partners feel safer knowing your messages are authenticated. 

The best way to get your domain up to this standard is by implementing DMARC policies. DKIM vs. DMARC isn’t sufficient on its own to protect your email infrastructure. 

The same goes for DKIM vs. SPF. That’s why DMARC is essential. 

It combines and enhances both DKIM and SPF protocols.

But you still need to authenticate your messages with a properly configured DKIM signature. 

If you don’t have a DKIM record, you need to generate a TXT record that has to be added to your DNS to get your public and private keys. 

If you’re unsure about the placement of this digital record, use our DKIM generator or get in touch. We’re happy to help.

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us