DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to prove that a message was sent by an authorised server for your domain, and that the message was not modified in transit.
How DKIM works
When you send an email, your mail server adds a DKIM signature to the message header. This signature is created using a private key that only your mail server holds.
When the receiving server gets the message, it looks up your domain’s public key (stored as a DNS TXT record) and uses it to verify the signature. If the signature is valid, the message is confirmed as:
- Sent by a server with access to your private key
- Unmodified between sending and receiving
DKIM vs SPF: what’s the difference?
SPF checks whether the sending server’s IP address is on your approved list. DKIM checks whether the message carries a valid cryptographic signature from an authorised key.
SPF breaks when email is forwarded (because the forwarder’s IP is not on your SPF list). DKIM survives forwarding, because the signature travels with the message and the message content has not changed.
This is why you need both SPF and DKIM — they cover different failure modes.
DKIM and inbox placement rate
In our Q1 2026 testing, domains without a DKIM record consistently scored 8-15 percentage points lower on inbox placement rate (IPR) than domains with correctly configured DKIM. Gmail and Outlook both use DKIM verification as a significant factor in spam classification.
Setting up DKIM
For Google Workspace: Admin Console > Apps > Google Workspace > Gmail > Authenticate email. Google generates the key and gives you the DNS record to add at your registrar.
For Microsoft 365: Microsoft 365 Defender > Email and Collaboration > Policies > Email authentication settings.
For Zoho Mail: Mail Admin Console > Domains > Domain Authentication > DKIM.
DKIM setup involves adding a TXT record to your domain’s DNS. DNS propagation takes 15 minutes to 48 hours.
DKIM and DMARC
DKIM is a prerequisite for DMARC. DMARC tells receiving servers what to do when SPF or DKIM checks fail. Without DKIM (and SPF), DMARC has no data to act on.
The deliverability triple lock — SPF + DKIM + DMARC — is the baseline for strong inbox placement.