DKIM explained
DKIM attaches a cryptographic signature to a message. The receiver retrieves the public key from DNS and verifies the signature against the message headers and body.
How DKIM works
A sending platform signs selected headers and the message body using a private key. The matching public key is published in DNS at a selector hostname such as selector1._domainkey.example.com.
Selectors and DNS
Selectors let you use multiple DKIM keys under the same domain. This makes key rotation easier and allows different systems to sign with different selectors.
Tip: Use descriptive selectors and document which platform owns each one.
Why DKIM fails
- The selector record is missing or malformed.
- The public key does not match the private key used for signing.
- A downstream system modifies headers or body content after signing.
- The signature references the wrong domain.
DKIM best practice
- Use DKIM on every legitimate sending platform.
- Rotate keys periodically.
- Use a sending subdomain where appropriate.
- Check alignment with your visible From domain for DMARC.