EMAIL GUIDE

DKIM Lookup: Email Digital Signatures Explained

How DKIM protects the integrity of your emails with asymmetric cryptography, how to verify the record, and how to solve the most common issues.

DKIM: the digital fingerprint of your emails

DomainKeys Identified Mail (DKIM) is an email authentication protocol that uses public key cryptography to ensure that an email has not been altered during transit. Unlike SPF, which only verifies the IP of the sending server, DKIM cryptographically signs the email content, allowing the recipient to verify its integrity and authenticity. Every email signed with DKIM contains a DKIM-Signature header with the digital signature calculated on the message body and selected headers.

The mechanism works with two keys: a private key (kept by the sending mail server) and a public key (published in the domain's DNS). When the server sends an email, it computes a hash of the content and encrypts it with the private key. The receiving server retrieves the public key from DNS, decrypts the signature, and compares the hash with the one computed locally. If they match, the message is authentic and intact.

How the DKIM selector works

Every DKIM record is identified by a selector, a prefix that allows having multiple DKIM keys for the same domain. The record is located at selector._domainkey.domain.com. For example, if Google Workspace uses the selector "google", the public key is found at google._domainkey.example.com. This system allows using different keys for different services: one for the corporate server, one for the marketing platform, one for the ticketing system.

DKIM record in DNS
# Record DKIM per Google Workspace (selector: google)
google._domainkey.esempio.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...chiave_pubblica_base64..."

# Header DKIM-Signature in un'email
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=esempio.com; s=google;
  h=from:to:subject:date:message-id;
  bh=hash_del_body;
  b=firma_digitale_base64

In the DKIM-Signature header, the key parameters are: d= (signing domain), s= (selector), h= (headers included in the signature), bh= (body hash), b= (the actual signature). The a= parameter specifies the algorithm (rsa-sha256 is the current standard). The c= parameter specifies canonicalization: relaxed is more tolerant of minor whitespace changes, strict requires exact matching.

DKIM diagnostics and troubleshooting

The most common DKIM problem is a signature that fails verification. The main causes are: missing or incorrect public key in DNS (verify it with our DKIM Lookup), modifications to the message during transit (mailing lists that alter the subject or body), private key not matching the public key, and DNS records with formatting errors. Mailing lists are particularly problematic because they often add footers or modify the Subject header, invalidating the original DKIM signature.

To diagnose DKIM problems, analyze the received email headers with the Email Header Analyzer. Look for the Authentication-Results field that shows the DKIM verification result: dkim=pass means the signature is valid, dkim=fail indicates a problem. The DKIM-Signature header in the email contains the selector (s=) and domain (d=) needed for manual verification.

Key size and rotation

DKIM key size is a crucial security aspect. 1024-bit keys, once the standard, are now considered vulnerable to factorization attacks with modern hardware. The current recommendation is to use 2048-bit keys, which provide an adequate security level for the coming years. Some providers support 4096-bit keys, but these can cause issues with DNS TXT record size limits (255 characters per string).

Periodic DKIM key rotation is an often overlooked best practice. It involves generating a new key pair, publishing the new public key with a new selector, configuring the server to sign with the new private key, and after a transition period, removing the old public key from DNS. Rotation every 6-12 months is recommended to limit exposure in case of private key compromise.

DKIM in the context of email authentication

DKIM is the second pillar of email authentication, between SPF and DMARC. While SPF verifies who sends (the server's IP), DKIM verifies what is sent (the message's integrity). DMARC then combines the results of both by verifying domain alignment: the domain in the From header must match the domain authenticated by SPF (envelope from) or DKIM (signing domain). Without DKIM, DMARC relies solely on SPF, significantly reducing protection.

For a complete verification of your DKIM configuration, use our DKIM Lookup by specifying the domain and selector. The tool shows the public key, bit size, algorithm, and flags any issues. Combine the result with SPF Lookup and DMARC Lookup checks for a complete picture of your email authentication.

Try DKIM Lookup for free
Check the DKIM record for email digital signatures
Use DKIM Lookup >

Explore the Network

capops.io Free tools for DevOps & SysAdmin — monitoring, deploy, CI/CD, server management and more Visit → pixcode.io Free graphic tools — image converter, color palette generator, SVG optimizer and more Visit →