Home/Knowledge Hub/DKIM Explained: How Email Receivers Know It's Really You
← Back to Knowledge Hub

DKIM Explained: How Email Receivers Know It's Really You

Email SecurityDNS & NetworkDeliverability·June 3, 2026·5 min read

DKIM (DomainKeys Identified Mail) digitally signs your emails to prove they’re really from you. Learn how it stops spoofing and boosts deliverability.

How DKIM Works

Your customer gets an email from support@yourcompany.com. The subject says “Action Required.” How does their inbox know the message is legit and not a scammer impersonating your domain? Without a way to prove your identity, any spammer can send emails that look like yours. That’s where DKIM comes in. DKIM stands for DomainKeys Identified Mail. It’s a standard that lets your domain attach a unique digital signature to every outgoing email. Think of it like a hidden stamp only your email provider can produce. When a receiving mail server sees that stamp, it can verify the email hasn’t been tampered with and truly came from you.

Real-World Analogy

Imagine mailing a signed contract. You place the document inside an envelope and press your personal wax seal into the flap. The recipient knows what your seal looks like because they already have an impression on file. When the letter arrives, they compare the stamp to the known copy. If the seal is intact and matches, they can trust the contents are genuine and untouched. DKIM does the same for email, but with a digital seal that gets checked automatically.

Layer 1 — In Everyday Terms

Here’s what actually happens when your system sends an email with DKIM:

1. Your email provider (like Google Workspace or Microsoft 365) uses a secret, private key to create a signature from parts of the message—like the “from” address, the subject line, and the body.

2. It attaches this signature to the email as a hidden header, similar to stamping the envelope.

3. When the email reaches the recipient’s server, the server looks up a public key that your domain has published in its DNS records—this is like the impression of your wax seal kept on file.

4. The receiving server uses that public key to check the signature. If everything matches, the email passes DKIM authentication.

5. If it doesn’t match, or the public key is missing, the check fails. That doesn’t always block the email, but it can hurt your deliverability.

This whole process happens in milliseconds, invisible to you and your recipients, but it carries a lot of weight with spam filters.

Technical Details

Here are the technical pieces you’ll see when working with DKIM:

— marks this record as a DKIM record
— specifies the key type (almost always RSA)
— the base64-encoded public key that receiving servers use to verify signatures
The TXT record lives at a special subdomain:
The selector is a name you (or your provider) choose, often something like “google”, “selector1”, or “default”
The email provider signs outgoing messages with the corresponding private key, which is never published
DKIM signatures can cover selected headers and parts of the body, defined by the and tags in the signature header

Why It Matters for Your Business

Without DKIM, your emails look exactly like a stranger could have sent them. Spammers routinely forge “from” addresses to trick your customers into handing over passwords or money. DMARC—another security layer—relies on DKIM (or SPF) passing to decide what to do with unauthenticated mail. If you’re not signing with DKIM, even a properly configured DMARC policy won’t protect your domain.

When DKIM is set up correctly, mailbox providers like Gmail and Outlook see your emails as trustworthy. That means higher delivery rates to the inbox instead of the spam folder. Marketing campaigns, password resets, and customer support replies all reach their destination.

If DKIM is missing or misconfigured, legitimate emails can be flagged as suspicious. Important messages go missing. Your company’s reputation with email providers slowly erodes, making it harder to reach even people who want to hear from you.

Common Issues and Warning Signs

Sometimes DKIM looks like it’s configured, but it still fails silently. The signs often show up in your business results before anyone suspects a technical problem.

Common Issues

Your emails keep landing in spam or promotions folders, especially when sent to Gmail or Microsoft addresses. On a technical level, this often means TXT record missing or the public key doesn’t match the private key.
A TechSpy scan flags your domain with “DKIM not configured”. The scan checks for the subdomain records—if none exist, you’re not signing.
You start getting bounce messages or reports that emails are being rejected after turning on DMARC. That’s a sign existing DKIM records are there, but the signatures don’t align with the sending service.
Someone forwards you a phishing email that appears to come from your domain. It gets through because recipients can’t verify the message’s origin without DKIM in place.

How to Fix or Improve DKIM

If you manage your domain’s DNS, adding DKIM is a one‑time setup. If an IT team, agency, or hosting provider manages it for you, forward them the details your email provider gives you.

Once DKIM is live, emails from your domain carry a seal that inboxes around the world can trust immediately.

<!-- self-check: layer1_readable=true | fix_doable=true | no_padding=true | jargon_expanded=true -->

1Get your DKIM values from your email platform.

- In Google Workspace: Admin console > Apps > Google Workspace > Gmail > Authenticate email. Select your domain and click “Generate new record.” Copy the DNS hostname (looks like ) and the TXT record value (long string starting with ).

- In Microsoft 365: Security & Compliance > Threat management > DKIM. Enable DKIM for your domain and copy the published CNAME records, or manually create TXT records if you prefer.

2Add the TXT record to your domain’s DNS.

Log into wherever you manage your domain’s DNS (like GoDaddy, Cloudflare, or your hosting provider). Create a new TXT record using the exact hostname and value your email provider gave you. If you see a “selector” field, that’s the first part of the hostname (for example, from ).

3Wait for DNS changes to spread.

This can take a few minutes to 48 hours, depending on your DNS provider and the TTL (time‑to‑live) setting.

4Turn on signing.

Back in your email platform’s settings, tell it to start signing outgoing emails with DKIM. In Google Workspace, click “Start authentication.” In Microsoft 365, toggle DKIM to “Enabled.”

5Test your setup.

Use TechSpy’s free email security scan to confirm DKIM is passing—it will show your domain’s current DKIM records and whether signatures verify correctly.

See how your domain's configuration stacks up.

Get a free scan — no sign-up, no credit card.

Scan Your Domain Free →