DKIM (DomainKeys Identified Mail)
An email authentication method that uses cryptographic signatures to verify that an email was sent by the domain it claims to be from.
What is DKIM?
DKIM, or DomainKeys Identified Mail, is an email authentication protocol that attaches a digital signature to every outgoing message. This signature is generated using a private cryptographic key held by the sending server and can be verified by anyone using the corresponding public key published in the sender’s DNS records. DKIM proves two things: that the email genuinely originated from the claimed domain, and that the message body was not altered in transit.
How DKIM Works
When your mail server sends a message, it computes a hash of specific headers and the message body, then encrypts that hash with your private key. The encrypted hash is added to the email as a DKIM-Signature header. The receiving server reads this header, extracts the selector and domain, performs a DNS lookup to retrieve the public key, and uses it to decrypt the hash. It then computes its own hash of the received message and compares the two. If they match, the DKIM check passes.
A DKIM DNS record is published as a TXT record at a subdomain like selector._domainkey.yourdomain.com. The selector is a label you choose, and many email providers assign one automatically when you set up your account.
Why DKIM Matters for Cold Email
DKIM is one of the three pillars of email authentication, alongside SPF and DMARC. For cold email senders, passing DKIM is essential because it directly affects inbox placement decisions. Email providers weigh DKIM results heavily. A consistent DKIM pass builds domain reputation over time, while DKIM failures signal potential spoofing and push messages toward spam.
Setup Considerations
Most email service providers generate DKIM keys for you and provide the DNS record you need to publish. The critical step is making sure the record is correctly added to your DNS and that the selector matches what your provider expects. Use a DKIM verification tool to confirm your setup is working before you begin sending. If you rotate sending infrastructure or add new email providers, each one will need its own DKIM key configured.
Outspun & DKIM
With Outspun’s managed infrastructure, DKIM keys are generated and published automatically for every domain. We handle the selector configuration, DNS record creation, and verification — so you never have to manually add DKIM TXT records or debug signing failures.
Keep learning
DMARC (Domain-based Message Authentication, Reporting and Conformance)
An email authentication protocol that builds on SPF and DKIM to give domain owners control over what happens to unauthenticated email.
SPF (Sender Policy Framework)
A DNS record that specifies which mail servers are authorized to send email on behalf of your domain.
Need help with DKIM (DomainKeys Identified Mail)?
Outspun handles it for you. Managed email infrastructure with everything configured and monitored.