DKIM explained
DKIM signs each message with a private key and publishes the public key in DNS. Here's how signing and the selector work, what the signature protects, and why it survives forwarding.
What DKIM is
DKIM (DomainKeys Identified Mail) has your mail server cryptographically sign every outgoing message with a private key, and publishes the matching public key in DNS. The receiver verifies the signature, which proves two things at once: the message really came from your domain, and it wasn’t altered on the way. It is the integrity leg of authentication, and unlike SPF, it survives forwarding.
How signing works
The sending server hashes the body and a chosen set of headers, encrypts that with its private
key, and attaches the result as a DKIM-Signature header. The receiver fetches the
public key from DNS, reverses the operation, and checks that the hashes match.
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
h=from:to:subject:date;
bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6ea7AKbgYHDQ...
The d= tag is your domain, s= is the selector, bh= is the body hash, and
b= is the signature itself.
The selector
A domain can run several DKIM keys at once, one per provider, or old and new during a rotation.
The selector (the s= tag) names which key signed a given message, and the receiver
looks it up at selector._domainkey.yourdomain. Because the selector is chosen by your
sending provider and can’t be enumerated from DNS, you can verify a domain’s SPF and DMARC
automatically but not its DKIM without knowing the selector, a limitation any honest checker
has to state rather than guess around.
The record
selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3...IDAQAB"What the signature protects
The signature covers a hash of the body and the specific headers listed in
h= (typically From, To, Subject, Date). Change any signed part after signing and
verification fails, which is the whole point. From is always signed, that is what binds the message
to your domain and lets DMARC check alignment. See the
deliverability guide for how DKIM fits the bigger picture.
Setting DKIM up is mostly publishing what your provider gives you: they generate the key pair, hold the private
key, and hand you a selector plus a public-key TXT record to add to DNS. Once it resolves, they
begin signing. Larger senders run their own keys and rotate them on a schedule, publishing a
fresh selector, cutting signing over to it, then retiring the old record after the last messages signed with it
have aged out. The selectors are exactly what make that hand-off clean, both keys validate during the
overlap, so no message is left unverifiable mid-rotation.
FAQ
What is DKIM?
DomainKeys Identified Mail. Your mail server signs each outgoing message with a private key; the matching public key is published in DNS. The receiver fetches that public key and verifies the signature, which proves the message genuinely came from your domain and was not altered in transit. It is the integrity-and-authenticity leg of email authentication.
What is a DKIM selector?
A label that points to one specific public key, so a domain can run several keys at once (different providers, key rotations). The signature names it in the s= tag, and the receiver looks up the key at selector._domainkey.yourdomain. Because the selector is chosen by your sending provider and is not discoverable from DNS alone, you cannot verify a domain's DKIM without knowing it.
Why does DKIM survive forwarding when SPF doesn't?
DKIM signs the message itself, the headers and body, not the connection. As long as a forwarder does not modify the signed content, the signature still verifies wherever the message lands. SPF, by contrast, checks the sending server, which changes on forwarding. That durability is why DMARC can pass on DKIM alone.
What does the signature actually cover?
A hash of the message body (the bh= tag) and a chosen set of headers (the h= tag, typically From, To, Subject, Date). If any signed part is altered after signing, the hash no longer matches and verification fails. Headers not listed in h= are not protected, which is why From is always signed.
How long should a DKIM key be, and should I rotate it?
Use a 2048-bit RSA key; 1024-bit is considered weak today. Rotate keys periodically by publishing a new selector, switching signing to it, then retiring the old one. Selectors make rotation clean: you can have the old and new keys live at the same time during the switch.
Is DKIM enough on its own?
No. DKIM proves integrity and origin but carries no policy and no alignment requirement by itself, a message can have a valid DKIM signature for a domain unrelated to the visible From. DMARC adds the alignment check and the policy; SPF adds path authorization. Use all three together.
Cryptographic mail signing is the kind of protocol detail KB Cafe was built to explain plainly. This is the modern DKIM reference: how the signature and selector work, what they protect, and the honest limit (you need the selector) that shapes how you verify it.