Deliverability & the inbox
DKIM (DomainKeys Identified Mail)
Also known as: domainkeys · email signing
A cryptographic signing mechanism where sending servers sign each message with a private key, and receiving servers verify the signature against a public key published in DNS — proves the message wasn't altered in transit and came from an authorised sender.
DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing message. The sending server signs the message with a private key; the receiving server fetches the matching public key from the sending domain's DNS (via a TXT record at selector._domainkey.domain.tld) and verifies the signature. Pass = DKIM valid. DKIM proves two things: the message wasn't altered in transit, and it came from a server authorised to sign as the domain. Modern DKIM uses 2048-bit RSA keys (1024 is deprecated); rotation is quarterly-or-semi-annual best practice. Unlike SPF, DKIM signs the actual message body and displayed-From address, which is why DMARC alignment uses DKIM more reliably than SPF. A broken DKIM signature — misconfigured selector, private-key rotation without DNS update, long subject-line wrapping — can mean every message fails silently.