What Is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that attaches a cryptographic signature to outgoing messages. The sending server signs specified headers and the message body with a private key, and the corresponding public key is published in the sending domain's DNS. Receiving servers use this public key to verify the signature, confirming the message was sent by an authorized server and was not modified in transit.
How DKIM signing and verification works
When your mail server sends a message, DKIM selects specific headers (typically From, To, Subject, Date, and the body hash) and generates a cryptographic hash. This hash is signed with your domain's private key and added as a DKIM-Signature header in the outgoing message.
The receiving server extracts the DKIM-Signature, retrieves your public key from DNS using the selector and domain specified in the signature, and independently recalculates the hash. If the calculated hash matches the signed hash, the message is verified as authentic and unmodified. Any change to the signed headers or body — even adding a single character — causes verification to fail.
DKIM and email deliverability
DKIM is one of three pillars of email authentication alongside SPF and DMARC. Together they prove that a message is from who it claims to be from (SPF verifies the sending server, DKIM verifies the message integrity, and DMARC aligns them with a policy). Email providers increasingly use all three signals to make inbox placement decisions.
DKIM provides protection that SPF cannot. SPF verifies the sending server's IP at the network level, but DKIM protects the message content through cryptography. This means DKIM still works when mail is forwarded through intermediate servers that would break SPF alignment. For businesses concerned with deliverability, implementing both provides the strongest authentication posture.
DKIM in disposable email context
Like SPF, DKIM configuration can serve as a minor signal in domain analysis. Well-established email providers publish DKIM keys and sign their outbound mail. Some disposable email providers skip DKIM entirely because their users are receiving, not sending, and the operational overhead of signing outbound messages is unnecessary for their use case.
However, DKIM presence or absence is not a reliable disposable detection signal on its own. Detection systems like DisposableCheck use dedicated domain-reputation databases and MX analysis rather than relying on authentication records, which are more relevant to sender verification than provider classification.
Frequently asked questions
Does DKIM encrypt my emails?
No. DKIM signs a hash of the message for integrity verification, but the message content remains in plain text. For encryption in transit, TLS is used. For end-to-end encryption, S/MIME or PGP is needed.
What is a DKIM selector?
A selector is a label that identifies which DKIM key to use for verification. It allows a domain to have multiple active DKIM keys, which is useful when rotating keys or using different keys for different mail systems.
Can DKIM fail even if I configured it correctly?
Yes. Mailing list software, forwarding services, or security gateways that modify message headers or body content can break DKIM signatures. This is one reason DMARC policies should account for both SPF and DKIM alignment.
Check any email address for free
Test whether an email is from a disposable provider instantly, or integrate the check into your application with the free API.
Related terms
An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving server gets a message claiming to be from your domain, it checks your SPF record to verify the sending server is on the authorized list. Messages from unauthorized servers can be flagged, quarantined, or rejected.
Domain reputation is a score that email service providers assign to your sending domain based on your email sending history, bounce rates, spam complaints, engagement patterns, and authentication configuration. It determines whether your messages reach the inbox, land in spam, or get blocked entirely.
Email deliverability is the measure of how successfully your outbound emails reach recipients' inboxes rather than being filtered to spam, bounced, or silently dropped. It depends on sender reputation, authentication, content quality, list hygiene, and the receiving server's filtering policies.
Email verification is the process of confirming that an email address exists, is correctly formatted, and can receive messages. It typically involves syntax checks, domain and MX record validation, and sometimes SMTP-level handshake probing to determine whether the mailbox is live without actually sending a message.
Related articles
View all postsRate Limiting as an Anti-Spam Tool
A practical guide to using rate limiting for anti-spam defense across outbound email, account creation, and disposable email abuse patterns.