DMARC

DKIM · RFC 6376

DKIM: the signature that proves origin

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to each message. The sending server signs certain headers and the body with a private key; the recipient fetches the public key from your DNS and verifies nothing was altered in transit.

How it works

  1. 1. On send, the server adds a DKIM-Signature header containing the domain (d=), the selector (s=) and the signature.
  2. 2. The recipient reads d= and s=, then fetches the public key from DNS.
  3. 3. It recomputes the signature: if it matches, the message is intact and genuinely from the signing domain.

The DNS record

The public key is published on <selector>._domainkey.your-domain.com:

s1._domainkey.your-domain.com.  IN TXT
  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQ..."
  • s= (selector) — lets you host several keys in parallel (one per provider, or for rotation).
  • p= — the public key (base64). Removing it revokes the selector.
  • k= — the algorithm (rsa, the most common).

Best practices

  • 2048-bit key preferred (1024 still accepted but weak).
  • Regular rotation via selectors: publish the new key, switch sending, then remove the old one.
  • A distinct selector per sending source, so you can revoke one without impacting the others.
DKIM survives forwarding better than SPF. What remains is tying the signature to the visible domain: that is the role of DMARC.

Guide: How SPF, DKIM and DMARC work together