What is DKIM? (DomainKeys Identified Mail)
DKIM (DomainKeys Identified Mail) is an email authentication standard that lets a sending server attach a cryptographic signature to each message, which the receiving server verifies against a public key published in the sending domain’s DNS — proving the message was authorised by the domain and was not altered in transit.
How DKIM works
When a server sends a DKIM-signed message, it hashes selected headers and the body, encrypts that hash with a private key, and attaches the result as a DKIM-Signature header. The matching public key lives in the sending domain’s DNS as a TXT record at selector._domainkey.yourdomain.com. The receiving server reads the s= (selector) and d= (domain) tags from the signature, fetches that public key, and verifies the hash. If it matches, the message is proven to be authorised by the domain and unaltered in the signed parts.
What DKIM protects against
DKIM defends against two things: spoofing (someone sending mail that claims to be from your domain) and tampering (a relay quietly changing the body or key headers in transit). It does not encrypt the message and it does not hide the contents — it is an integrity and authenticity check, not a confidentiality one.
Key rotation
Because the selector is part of the DNS record name, a domain can publish several keys at once and rotate them without downtime: publish a new selector, start signing with it, then retire the old one once no in-flight mail relies on it. Rotating DKIM keys periodically limits the damage if a private key is ever exposed.
DKIM on PostStack
PostStack generates a DKIM key pair for every sending domain and, if your DNS is on HostStack, publishes the public key automatically. Outbound mail is signed before it leaves the relay, and the deliverability dashboard flags any drift between the key we sign with and the key currently published in DNS.
Frequently asked questions
What does DKIM do?
DKIM adds a digital signature to the header of every outgoing email. The receiving mail server fetches the sender’s public key from DNS (at selector._domainkey.yourdomain.com) and uses it to verify the signature. A valid signature proves two things: the message genuinely came from a server authorised by the domain, and the signed parts of the message were not modified between sending and delivery.
What is a DKIM selector?
A selector is a label that lets a single domain publish more than one DKIM key at a time — useful for key rotation or for using different keys per sending service. It appears in the DNS record name as selector._domainkey.yourdomain.com and in the email’s DKIM-Signature header as the s= tag, so the receiver knows which key to fetch.
Is DKIM enough on its own?
No. DKIM proves a message is authentic and unaltered, but it does not tell receivers what to do with mail that fails. You pair DKIM with SPF (which authorises sending IPs) and DMARC (which sets the policy and alignment rules and turns on reporting). All three together are what mailbox providers like Gmail and Yahoo now effectively require for bulk senders.