DNS and email

What is DKIM?

DKIM signs email so the receiver can verify that the message was not changed and that the right domain signed it.

Short answer

DKIM uses a private key at the sender and a public key in DNS under a selector.

Selectors

A DKIM selector is a name pointing to the right DNS record, for example selector1._domainkey.example.com.

What DKIM protects

DKIM can show that parts of the message were signed by the domain and were not changed in transit.

DKIM and DMARC

For DMARC, the DKIM signature also needs to align with the From domain, otherwise it is not enough for DMARC pass.

Common questions

Where do I find my selector?

It is often shown in the email service DNS instructions or in the DKIM-Signature header of a sent message.

Can a domain have several DKIM selectors?

Yes, that is common with multiple email services or key rotation.

More guides

DNS and email

What are DNS records?

DNS records explained: what A, AAAA, MX, TXT, CNAME, NS, CAA and SOA mean and how they affect websites, email and domain security.

Read guide DNS and email

What is an MX record?

MX records explained: how mail servers are prioritized, which DNS mistakes stop delivery and how MX connects with SPF and DMARC.

Read guide DNS and email

What is SPF?

SPF explained: which servers may send email for a domain, common SPF mistakes and why SPF should be combined with DKIM and DMARC.

Read guide