Why It Matters
DKIM is one of the three pillars of email authentication (along with SPF and DMARC). Without it, anyone can modify your emails in transit or forge messages that appear to come from your domain. Since February 2024, Gmail and Yahoo require DKIM for bulk senders. Fail DKIM, and your emails are far more likely to land in spam or get rejected outright.
How It Works
DKIM uses public-key cryptography. When you send an email, your mail server signs certain headers and the body with a private key. It adds the signature to the email's headers. The receiving server looks up your public key (published as a DNS TXT record on your domain) and uses it to verify the signature. If the signature checks out, the email passes DKIM.
The signature covers a hash of the message content, so even a tiny modification — an added tracking pixel by a middleman, a forwarding server rewriting headers — can break the signature. That's a feature, not a bug: it ensures integrity.
Quick Tips
- Use a 2048-bit key, not 1024-bit. The shorter keys are technically still accepted but they're considered weak.
- Every service that sends email on your behalf (marketing platform, CRM, helpdesk) needs its own DKIM key configured. One missing DKIM setup can sink deliverability for that stream.
- Rotate your DKIM keys annually. It's good security hygiene, and most email platforms make it straightforward.