DKIM Explained: How Email Signing Works and Why You Need It

Every email your server sends carries invisible data that receiving servers use to decide whether your message is legitimate. DKIM — DomainKeys Identified Mail — is one of those signals. It works by cryptographically signing parts of your outgoing email using a private key, then publishing the matching public key in your DNS so receiving servers can verify the signature.
When DKIM works correctly, it proves two things: the message genuinely came from your domain, and nothing in the signed portions was altered in transit. For email that gets forwarded, DKIM is especially important because — unlike SPF — DKIM signatures survive forwarding intact.
How DKIM Signing Works
DKIM operates using a public/private key pair. Here's the process end to end:
- Your mail server (or your email service provider) generates a key pair when you set up DKIM.
- The private key is stored on your sending infrastructure and used to sign each outgoing message.
- The public key is published in your DNS as a TXT record under a specific selector subdomain.
- When a receiving server gets your message, it reads the DKIM signature from the email headers, fetches your public key from DNS, and uses it to verify the signature.
A DKIM signature in the message headers looks something like this:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=maildog;
h=from:to:subject:date;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=AbCdEfGhIjKlMnOpQrStUvWxYz...
The d= field is the signing domain, s= is the selector used to find the public key in DNS, h= is the list of headers that were signed, and b= is the actual cryptographic signature value.
Setting Up DKIM
The setup process depends on whether you're using a managed email service or running your own mail server.
Using a Managed SMTP Service
When you use a service like MailDog's SMTP relay, DKIM signing is handled on the infrastructure side. You'll be given a DKIM public key and a selector to add to your DNS. The typical steps are:
- Log into your MailDog account and navigate to domain settings.
- Copy the DKIM TXT record value provided — it will be a long string of characters representing your public key.
- Add a TXT record to your DNS under the provided selector:
selector._domainkey.yourdomain.com - Wait for DNS propagation (usually under an hour) and verify using the methods below.
On a Self-Managed Mail Server
If you're running your own MTA, you'll generate the key pair yourself and configure DKIM signing in your mail server software. For Postfix, OpenDKIM is the most widely used approach. The key point is to choose a strong key length — RSA-2048 is the current recommended minimum. Anything shorter is considered weak by modern mail security standards.
Understanding the DKIM DNS Record
Your DKIM public key lives at a specific subdomain:
selector._domainkey.yourdomain.com
The selector is an arbitrary string you choose or that your provider assigns. It allows you to have multiple DKIM keys active simultaneously — useful for key rotation or authorizing multiple sending services. Common selectors include names like mail, s1, or the name of the email provider.
The DNS record itself looks like:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
The p= value is the public key. When rotating keys, you add a new selector with the new key, update your signing configuration to use it, then remove the old selector from DNS after a few days to allow time for any in-flight messages to clear.
What DKIM Protects Against
DKIM provides two main protections:
- Domain spoofing: An attacker can't convincingly send email from your domain without your private key. Even if they put your domain in the From header, the DKIM signature will be absent or invalid.
- Message tampering in transit: DKIM signs specific headers and the message body hash. If anything in the signed portions is modified during transit — by a compromised relay or malicious intermediary — the signature will fail verification.
DKIM does not encrypt the message content, and it doesn't prevent someone from registering a lookalike domain and signing their own legitimate DKIM on messages from that lookalike. That's where DMARC comes in — DMARC ties SPF and DKIM alignment back to the visible From domain and allows you to set an enforcement policy for your domain.
Verifying Your DKIM Setup
Check that your DNS record is in place:
dig TXT selector._domainkey.yourdomain.com
Replace selector with your actual selector name. You should see a record containing v=DKIM1 and your public key string.
To verify end-to-end signing, send a test email to an inbox you control and look at the received message headers:
dkim=pass header.i=@yourdomain.com
If you see dkim=fail, the signature verification failed — check that your DNS record is correct and that the private key on your server matches the published public key. If you see dkim=none, signing isn't happening at all, which means the DKIM integration in your sending software isn't configured.
Common DKIM Problems
- DNS record not propagated yet. After adding a DKIM record, wait up to an hour before testing. TTL values affect how quickly changes are visible globally.
- Key mismatch. If your server's private key doesn't match the public key in DNS, signatures fail. This typically happens after a key rotation where one side was updated but not the other.
- Body hash mismatch. Some email processing systems — mailing list software, certain forwarding setups — modify the message body, breaking the DKIM body hash. If you see
dkim=fail (body hash did not verify), the message was altered in transit after signing. - Weak key length. Keys shorter than 1024 bits will fail on many modern receiving systems. Use RSA-2048 as the minimum.
DKIM is a non-negotiable part of any serious email authentication setup. Combined with SPF and DMARC, it forms the three-layer system that every major mailbox provider now expects from legitimate senders. For full setup guidance and DNS configuration templates, visit the MailDog DNS security page or the documentation. If you have questions about how authentication affects your deliverability, the MailDog support team is available to help.


