Skip to main content
Senddio glossary · DomainKeys Identified MailLast reviewed: May 2026

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication standard. It lets a receiving mail server verify two things: that a message was genuinely sent by an authorised server for the sender's domain, and that the contents have not been changed since the message was signed.

How DKIM works in plain English

When you send an email through a DKIM-signing server, the server adds a digital signature to the message header. That signature is generated using a private key that only your sending server has. The matching public key is published in your domain's DNS as a TXT record. When the recipient's mail server receives the message, it looks up the public key in DNS and verifies the signature. If the signature is valid, the recipient knows the message really came from your domain and was not tampered with.

Why DKIM matters

Without DKIM (and its companion standards SPF and DMARC), receiving mail servers cannot tell whether a message claiming to be from your domain actually is. The result is usually that your messages land in spam folders, or are rejected outright. DKIM is the single most important step you can take to keep transactional and marketing email deliverable.

What does a DKIM record look like?

A DKIM DNS record is a TXT record at a subdomain like selector1._domainkey.yourdomain.com. The value starts with v=DKIM1; and contains a long base-64 encoded public key. Most providers (including Senddio) generate the records for you and verify them automatically once you publish.

DKIM vs SPF vs DMARC

These three standards work together. SPF authorises which servers may send mail for your domain. DKIM signs the messages themselves. DMARC tells receiving servers what to do if a message fails either check. You need all three for serious sending; one alone is not enough.

Related terms
DMARC SPF
FAQ

DKIM — FAQ

Not technically required by the email protocol, but in practice yes. Google, Microsoft, Yahoo and most large mail providers now require DKIM (and SPF and DMARC) for any meaningful volume of email, and untreated messages are heavily down-ranked or rejected.

Adding the DNS records takes about five minutes. DNS propagation usually completes within an hour, sometimes up to 24 hours. Once propagated, signing is automatic on every send.

Yes, and it is normal. Each key uses a different selector (the prefix before _domainkey). You might have one for your transactional provider and another for your marketing provider. Both can sign the same domain.

Yes. When you verify a domain in Senddio, the dashboard shows you the exact DNS records to add — including two DKIM keys, an SPF include, and a DMARC starter policy. Senddio polls every minute to confirm the records are live and shows you the exact difference if something does not match.

Senddio handles the boring parts of DKIM for you.

Free plan ships every channel and every AI feature. No card to start.

Start free Read the docs
300 emails/day · All 6 channels · AI credits · No card