DKIM
EmailDKIM is an email authentication method that uses cryptographic signatures to prove a message was authorized by the sending domain and was not altered in transit. The sender publishes a public key in DNS, while the outbound mail server signs selected headers with a private key. Receiving servers verify the signature to improve deliverability and reduce spoofing and phishing.
How It Works
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email. Your mail server or email-sending application signs parts of the message (commonly headers like From, To, Subject, Date, Message-ID, and sometimes the body) using a private key. The signature is placed in a DKIM-Signature header that includes details such as the signing domain (d=), a selector (s=), and which headers were signed (h=).
The corresponding public key is published in DNS as a TXT record at selector._domainkey.yourdomain.tld. When a receiving mail server gets the message, it looks up that DNS record, retrieves the public key, and verifies the signature. If verification succeeds, the receiver gains confidence that the email was authorized by the domain and that the signed portions were not modified after signing. If it fails, the message may be treated as suspicious, especially when combined with SPF and DMARC policies.
Why It Matters for Web Hosting
For hosting buyers, DKIM is a practical deliverability feature: it helps transactional and marketing emails reach inboxes and reduces the chance your domain is used for spoofing. When comparing hosting plans, check whether the provider supports DKIM for the mail service you will use (built-in mailboxes, SMTP relay, or app-based sending), offers simple DNS management, and integrates DKIM with SPF and DMARC so you can enforce consistent authentication across all senders.
Common Use Cases
- Authenticating transactional email from web apps (password resets, receipts, notifications)
- Improving inbox placement for newsletters and bulk campaigns
- Protecting a brand domain from spoofed From addresses used in phishing
- Signing email sent through third-party services on behalf of your domain
- Supporting DMARC alignment requirements for stricter anti-spoofing policies
DKIM vs SPF
SPF validates whether the sending server IP is allowed to send mail for a domain by checking DNS-published IP rules, but it does not cryptographically protect message content and can break when mail is forwarded. DKIM validates a cryptographic signature tied to the domain and survives many forwarding scenarios because verification relies on the signature and DNS key, not the original sending IP. In practice, hosting setups commonly use both, with DMARC defining how receivers should handle failures and requiring alignment between the visible From domain and the authenticated identifiers.