What is DKIM?
DKIM stands for DomainKeys Identified Mail. It's a method of cryptographically signing outgoing email so that receiving servers can verify the message genuinely came from your domain and wasn't modified in transit.
Think of it as a digital signature on every email your domain sends.
How DKIM works
When you configure DKIM for a service:
- The sending service generates a public/private key pair
- You publish the public key as a DNS record on your domain
- The sending service signs every outgoing message with the private key
- Receiving servers look up your public key and verify the signature
If the signature is valid, DKIM passes. If the message was tampered with, or the signature doesn't match, DKIM fails.
What a DKIM DNS record looks like
DKIM records are published at a specific subdomain in the format selector._domainkey.yourdomain.com. For example:
selector1._domainkey.catsnackjack.comThe selector identifies which key pair was used. Microsoft 365 uses selector1 and selector2. Google uses google. Mailchimp uses k1.
The record content looks something like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...You don't need to understand the key content — you just need to publish the record your email service provides.
Setting up DKIM by service
Most services have a setup wizard that generates the DNS records for you:
| Service | Where to set up DKIM |
|---|---|
| Microsoft 365 | Microsoft 365 Defender → Email authentication settings |
| Google Workspace | Admin Console → Apps → Gmail → Authenticate email |
| Mailchimp | Account → Domains → Authenticate |
| SendGrid | Settings → Sender Authentication → Domain Authentication |
| HubSpot | Settings → Marketing → Email → Authentication |
Sentura's action items will tell you exactly which services need DKIM configured and link you to the right setup page.
DKIM vs SPF
| SPF | DKIM | |
|---|---|---|
| What it checks | Sending server IP address | Cryptographic signature on message |
| Where it's configured | Single TXT record at domain root | TXT records per selector per domain |
| Survives forwarding? | No — forwarded mail often fails SPF | Yes — the signature travels with the message |
| Who configures it | You (in your DNS) | The sending service generates the keys |
DKIM is generally more reliable than SPF because it survives email forwarding — SPF often fails for forwarded messages because the forwarding server's IP isn't in your SPF record.
Why both matter
DMARC requires at least one of SPF or DKIM to pass and align with your From: domain. Having both configured gives you redundancy — if SPF fails for a forwarded message, DKIM can still pass and your DMARC won't fail.
For DMARC enforcement, you want every legitimate sending service to be passing both SPF and DKIM.