Glossary

DKIM

DKIM (DomainKeys Identified Mail) is an email authentication protocol that uses public-key cryptography to add a digital signature to outgoing emails, allowing receiving mail servers to verify that the message was sent by an authorized sender and that its content was not altered in transit.

Get Started

Read more terms

DKIM works through a public-private key pair. The sending mail server signs each outgoing email with a private key, embedding the signature in the email's header. The domain owner publishes the corresponding public key in their DNS records. When a receiving server gets the email, it retrieves the public key from DNS and uses it to verify the signature. If the signature is valid, it confirms both that the email came from the legitimate sender and that the content hasn't been modified since it was signed. Unlike SPF, which validates the sending server IP, DKIM validates the message content itself. This makes DKIM resilient to a class of attacks called email forwarding abuse, where an email is legitimately forwarded through another server — DKIM remains valid through forwarding because it's tied to the message content rather than the sending IP. This is also why DKIM plays a central role in DMARC alignment: for a DMARC check to pass on the DKIM mechanism, the DKIM signing domain must align with the From address domain. For B2B outbound sales teams, DKIM is a non-negotiable component of email authentication. Google's bulk sender requirements mandate DKIM for domains sending more than 5,000 messages per day. Teams running personalized video outreach campaigns through Outvid should ensure DKIM is enabled and correctly configured for all sending domains and subdomains to protect inbox placement and sender reputation.

What should I know about DKIM?

DKIM Proves Message Integrity

The DKIM signature is tied to the email content. Any modification to the message body or headers after signing invalidates the signature, allowing receiving servers to detect tampered emails.

DKIM Survives Email Forwarding

Because DKIM validates the message content rather than the sending IP, the signature remains valid when an email is forwarded — unlike SPF, which fails when a message is relayed through a different server.

DKIM Is Required for DMARC Alignment

DMARC can pass on either SPF or DKIM alignment. Because SPF fails on forwarded messages, DKIM alignment is the more reliable mechanism for DMARC compliance — making DKIM configuration critically important.

How is DKIM used in practice?

Enabling DKIM in an email service provider

A sales team using Google Workspace for outbound enables DKIM by generating a key pair in the Google Admin Console, publishing the public key as a TXT record in their DNS provider (e.g., google._domainkey.company.com), and verifying the configuration using the Google Admin Toolbox. After 24-48 hours of DNS propagation, all emails sent through Google Workspace are DKIM-signed.

DKIM failure causing deliverability problems

A company migrates their email infrastructure to a new provider but doesn't update their DKIM DNS records to include the new provider's keys. Their DMARC reports show DKIM alignment failures increasing from 1% to 68%. After updating the DNS records with the new provider's public keys, DKIM alignment returns to 99% and inbox placement rates recover.

Frequently asked questions

How is DKIM different from SPF?

SPF authorizes which IP addresses can send email on behalf of your domain and is validated by the receiving server checking the sender's IP against your DNS record. DKIM adds a cryptographic signature to the email content itself, proving the message came from you and wasn't altered in transit. Both are needed for comprehensive authentication.

Where is the DKIM signature stored in an email?

The DKIM signature is stored in the email's DKIM-Signature header field. It contains the signing domain, the selector (which identifies which public key to use from DNS), and the cryptographic hash of the message content. Most email clients don't display this header unless you view the full email source.

Can I have multiple DKIM keys for the same domain?

Yes — DKIM supports multiple keys per domain through the use of selectors. Each sending source (Google Workspace, Instantly, your own mail server) can have its own DKIM key pair, published under different selector names in DNS. This allows different senders to independently sign emails from the same domain.

Learn more

Email Authentication SPF Record DMARC Sender Reputation Buying Committee Video Outreach to Passive Candidates

Send Outreach That Passes Every Authentication Check

Outvid's AI video outreach is built for teams who care about deliverability — pair it with proper DKIM, SPF, and DMARC to ensure every video email reaches its destination.