Understanding DKIM: How it works and why it’s necessary

You may know DKIM as an added layer of authentication for email. It proves you are who you claim to be through records and a secure signature. Did you also know that DKIM can help with deliverability?



Are you who you say you are, or are you a spoofer in disguise? Answering this question is what DKIM is all about.

As email usage and capabilities continue to grow, it’s important to make sure that your sender reputation is staying positive and secure. One of the best ways to do this is to use DKIM (DomainKeys Identified Mail). If the idea of yet another email acronym is throwing you off, don’t be alarmed.

Below, we’ll walk through the basics and benefits of DKIM to illuminate its purpose and value to sender reputation.

What is DKIM?

DKIM is an email authentication protocol that your email recipients can use to verify you are the true sender of a message. It ensures that nobody has used your domain or other identifiers to impersonate you or your company. DKIM has become an authentication standard in the email world necessary for both bulk marketing and transactional campaigns. A message sent without DKIM and/or SPF can be considered suspicious by different email analysis tools.

How does DKIM work?

DKIM is a tale of two keys. One key is private and stored on your SMTP server or in your listed domain, and the other is a public key registered in the DNS that others can use to verify your sender identity. The receiving mail server validates these two keys against one another. Matching keys open the door to deliverability. Mismatched keys trigger alarms and land you in spam.

Image shows DKIM signature sent to the receiving mail server which validates it against the public DKIM key and sends it to the inbox or to spam if the keys do not match.

There are a few important elements in DKIM authentication, including DKIM signatures and DKIM records. Let’s see what they are and what role they play in this process.

What is a DKIM signature?

The main component of DKIM is the DKIM signature, a header that is attached to your email messages which your recipient can use for verification. How you generate DKIM keys varies depending on your provider but some basic recurring variables of the signature are:

  • “d=” refers to the signing domain associated with a selector record to locate a public key. Messages from Mailgun are identified as “”.

  • “b=” refers to the message’s unique DKIM signature of headers and body, encoded with Base64.

  • “bh” refers to a digital hash value that contains your encrypted private key (canonicalized by Base64) so it can be verified by the recipient.

Image shows a cURL example of a DKIM signature with examples of the variables from the previous list.

Did you know? Base64 is used to safely carry data that has been encrypted, or stored, in a binary format over channels that usually only support text, like HTML and CSS.

Just like with adding your John Hancock to a document, your DKIM signature should be the last thing added to an out bounding message. Why? Modifications to an email’s content or its headers will alter its cryptographic hash (encoded information about the email content sent along with your encrypted key). Once sent, your DKIM signature – containing your encrypted private key– is validated by the recipient server.

What is a DKIM record?

A DKIM record is part of your DNS records. Its purpose is to store the public domain key(s) – string of randomly generated characters – you use for DKIM. A simplified way of looking at it is to say that a DNS record is a listing of a domain and its IP address, and the DKIM record is a TXT record within the DNS record that contains a key used for email authentication.

If you don’t set up a DKIM record with your personal domain information, some email providers, like Google Mail, use their own default DKIM in your messages. However, it is always best to create your own specific DKIM records. Specific, endorsed records make verification and troubleshooting easier for both sender and recipient.

Need to set up multiple keys for your domain? Use a DKIM selector to set up multiple delivery services from a domain, or to send from a subdomain.

What are DKIM record checks?

A DKIM record check is pretty much what it sounds like – it means that you’re validating DKIM records to ensure they’re correct. DKIM record checks are particularly useful if you’re sending emails via SMTP. SMTP protocols don’t automatically include these layers of authentication, making them more vulnerable to spam and email-based hacks than sending via API.

DKIM record checks show the domain used to sign the DKIM signature, and validate that the email was authorized by the domain owner. Curious how to verify a record? Try it out with this handy DKIM checker tool.

Why is DKIM important?

DKIM provides protection for the reputation of your organization and the integrity of its email program. It offers domain protection against phishing and “spoofing” scams, especially when used with DMARC and SPF. DKIM is difficult to spoof since it detects inconsistencies in email headers and other unauthorized changes.

What are the benefits of DKIM?

Additionally, DKIM boosts your reputation. Because your messages can be verified, they are more likely to be trusted and recognized. Knowing that your emails are secure helps recipients feel more comfortable when they’re in contact with you. This can lead to more two-way communication between you and your email list, and help strengthen relationships with your customers.

DKIM helps ensure deliverability. Without a DKIM signature and valid records, recipients’ SMTP servers are significantly more likely to block your emails and mark them as spam . Remember we said that SMTP doesn’t have built-in layers of authentication? Well, if you provide it you’re that much more likely to land in the inbox.

How to set up DKIM with Mailgun

Mailgun requires a verified DKIM key via DNS check before a domain can send from its platform. Keep your messages as secure as possible by customizing your key. Instead of using a provider’s standard DKIM, you’re prompted to set up verification details that are specific to your domain and are associated with your organization. This keeps your emails easily identifiable by recipients—and it keeps your DKIM records recognizable and changeable for you and your team.

Below is a step-by-step guide on how to customize your DKIM with Mailgun.

Verify your domain

Add a domain you own and verify it by setting up the DNS record we provide (this is the DKIM record) at your DNS provider. An example is below.

1. Add your domain or subdomain in the Domains tab of the Mailgun control panel, or via the API.

2. Choose your DKIM key length. Longer keys equal more protection from spammers.

Mailgun verify domain dashboard

Add your records

3. Open your DNS provider and add the DKIM TXT DNS record provided. This record can be found in the Domain Verification & DNS section of the domain settings page of the Mailgun control panel.

Mailgun DNS records dashboard

4. If you want Mailgun to track clicks and opens you can also add the CNAME record.

5. MX records should also be added, unless you already have MX records for your domain pointed at another email service provider (e.g., Gmail).

Mailgun receiving records dashboard

Once you’ve added the records and they’ve propagated, your domain will be verified. Note: it can take 24-48 hours for DNS changes to be verified.

Common DNS Provider Documentation

Common providers are listed below. If yours is not listed, contact your DNS provider for assistance:

Now you’re all set! If you get stuck, check out our documentation for more in-depth information on DKIM and step-by-step setup guides.

What you need to remember about DKIM and its usage

Why be vulnerable when you can be validated? DKIM is encrypted proof of your sender identity. It’s a useful tool that you can (and should) use to send email to your mailing list. By “signing” your emails, you signal that your organization is trustworthy.

DKIM offers your recipients protection from fraud, and boosts your sender reputation and deliverability rate by confirming your secure identify. It’s a small but crucial step – alongside other best practices, like cleaning and validating your email list – that strengthen your email program.

Need more help convincing mailbox providers you're really not a spammer in disguise? Learn more about email authentication, SPF, and DMARC, in our blog, and subscribe to our newsletter to stay in the loop.

Keep me posted! Get our news and tips every week.

Send me the newsletter. I expressly agree to receive the newsletter and know that I can easily unsubscribe at any time.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Related readings

Email authentication: Your ID card for sending

Think about it this way: Email authentication lets mailbox providers know that you are who you say you are, and your emails are coming from you and not a spammer. It’s kind of like...

Read more

How to conduct a comprehensive email deliverability audit

It usually starts with a sneaking suspicion that something is wrong with email deliverability...

Read more

Misfit email series: My email isn’t authentic enough

In my last article, I touched on the basics and background behind the various authentication ...

Read more

Popular posts

Email inbox.

Build Laravel 10 email authentication with Mailgun and Digital Ocean

When it was first released, Laravel version 5.7 added a new capability to verify user’s emails. If you’ve ever run php artisan make:auth within a Laravel app you’ll know the...

Read more

Mailgun statistics.

Sending email using the Mailgun PHP API

It’s been a while since the Mailgun PHP SDK came around, and we’ve seen lots of changes: new functionalities, new integrations built on top, new API endpoints…yet the core of PHP...

Read more

Statistics on deliverability.

Here’s everything you need to know about DNS blocklists

The word “blocklist” can almost seem like something out of a movie – a little dramatic, silly, and a little unreal. Unfortunately, in the real world, blocklists are definitely something you...

Read more

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon