DEmail Deliverability Glossary

DKIM (DomainKeys Identified Mail)

An authentication method that attaches a cryptographic signature to outgoing emails, proving the message was sent by an authorized server and not altered in transit.

DKIM is an email authentication method that attaches a cryptographic digital signature to outgoing emails. It proves that the email was sent by an authorized server and was not altered in transit.

How DKIM works:

Your sending server signs each outgoing email using a private key
The corresponding public key is published in your domain's DNS as a TXT record
The receiving server retrieves the public key and validates the signature
A match = DKIM pass. No match or missing signature = DKIM fail.

DKIM DNS record format:

selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=[public key]"

Why DKIM is non-negotiable for warm-up:

Emails without DKIM signatures are treated as untrustworthy by most major ISPs. Gmail's 2024 sender guidelines require DKIM for bulk senders. Reputation cannot be meaningfully built on unauthenticated sends.

Key length: Use 2048-bit RSA keys minimum. 1024-bit is deprecated and may fail security checks.

Frequently Asked Questions

How do I check if DKIM is set up correctly?

Send a test email to a Gmail address and open it, then click the three-dot menu and select 'Show original.' Look for 'dkim=pass' in the authentication results header. Alternatively, use MXToolbox DKIM Lookup (mxtoolbox.com/dkim.aspx) — enter your domain and selector to verify the public key is published correctly. Google Postmaster Tools also shows DKIM pass rates in the Authentication section once you're sending sufficient volume. A common mistake is publishing the DKIM record without enabling DKIM signing in your ESP — both steps are required.

What is a DKIM selector?

A DKIM selector is a label that allows a domain to publish multiple DKIM public keys simultaneously — for example, one key per ESP if you send from multiple platforms. The selector name is included in the email headers (e.g., 'selector1' or 'google') and tells the receiving server which DNS record to look up when validating the signature. The DNS record format is: [selector]._domainkey.[yourdomain].com. When setting up DKIM with an ESP, they'll provide the selector name to use. Having unique selectors per sending platform keeps authentication manageable.

Does DKIM survive email forwarding?

Yes — and this is DKIM's key advantage over SPF for warm-up purposes. When an email is forwarded, the forwarding server's IP is not in the original sender's SPF record, so SPF fails for forwarded mail. However, DKIM's signature is embedded in the email headers and travels with the message unchanged, so the signature remains valid after forwarding (as long as the message body isn't modified). This means DKIM alignment can pass for forwarded messages even when SPF fails, which preserves DMARC alignment and protects deliverability for forwarded warm-up emails.

Related Terms

SPF (Sender Policy Framework)

An authentication protocol that specifies which mail servers are authorized to send email for your domain. Published as a DNS TXT record checked on every inbound message.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

A policy protocol built on SPF and DKIM that tells receiving servers how to handle authentication failures and sends aggregate reports back to the domain owner.

Authentication (Email Authentication)

The set of technical protocols (SPF, DKIM, DMARC) that verify a sender's identity and prove an email genuinely originated from the claimed domain.

Domain Reputation

The permanent trust score ISPs assign to your sending domain based on historical behavior. Unlike IP reputation, a damaged domain reputation can take months to recover.

Back to Glossary

Get Started Today

Stop Guessing. Start Landing in the Inbox.

Improve your email deliverability with real engagement signals and full visibility into where your emails actually land.

Start Free Trial Talk to Sales

Free 10-day trial · No credit card · Cancel anytime