What Is DKIM and How Does It Work?

FindMyTeam April 12, 2026

A practical guide to DKIM, how message signing works, and what a DKIM record can and cannot tell you.

DKIM sounds more complicated than SPF because it is.

That does not mean it is mysterious. It just means the check lives in two places at once: the message and DNS.

What DKIM actually is

DKIM stands for DomainKeys Identified Mail.

It lets a sending system sign parts of an email message with a private key. The receiving system can then look up the matching public key in DNS and verify the signature.

So unlike SPF, DKIM is not mainly about “which server sent this.” It is more about “was this message signed by a domain that published the matching key?”

Why DKIM matters

DKIM helps with:

message integrity
domain-level authentication
making DMARC useful

If DKIM is stable and aligned, forwarding tends to be less painful than SPF-only setups.

Why selectors confuse people

Most DKIM problems start with the selector.

The record is not usually published at the root domain. It is published at a selector such as:

google._domainkey.example.com

That is why “check the DKIM record for example.com” is not quite enough unless you also know the selector.

What DKIM does not prove

A valid DKIM record does not prove:

that every platform is signing correctly
that DMARC is enforced
that the message is safe

It proves one thing well: a signed message can be checked against a published DNS key.

How to check DKIM properly

Start with How to Check a DKIM Record for a Domain.

Then confirm:

the selector is correct
the TXT record exists
the sending service is using the same selector
the domain also has DMARC and SPF in place

International domain note

Internationalized domains can appear in DNS tools as Punycode.

That can make the selector path look unfamiliar, but the lookup logic is still the same.

Useful next reads

The short version

DKIM signs email with a private key and verifies it against a public DNS key.

It is one of the main building blocks of modern email authentication, especially when paired with DMARC.

Continue reading

Stay in the same investigation track with these closely related guides.

How to Check a DMARC Record

Check the DMARC policy, record placement, and overall posture without confusing monitoring for enforcement.

Explore

How to Check a DKIM Record

Check the selector and DNS record that back the signing layer instead of treating DKIM like a vague status label.

Explore

What Is DMARC?

Understand alignment, policy, and reporting before you turn a DMARC record into an operational decision.

Explore

Tools mentioned in this article

Run the same diagnostics to follow along with the guide.

IP Lookup & Threat Scanner

Inspect IP carriers, ASNs, and security posture in real time.

Explore

Domain Reputation Lookup

Verify WHOIS, DNS, SSL, and safety signals for any hostname.

Explore

Website Performance

Measure document timings, PageSpeed snapshots, and delivery overhead.

Explore