Audit your domain

DKIM Signature

Prove email authenticity and improve deliverability

Back to Email & Reputation

What we check

We check for valid DKIM records and signatures

We check for valid DKIM (DomainKeys Identified Mail) records that cryptographically sign your outgoing emails. DKIM proves your emails were sent by you and haven't been tampered with in transit, significantly improving deliverability and preventing spoofing.

Security Impact

Why DKIM is critical for email deliverability

Missing DKIM hurts deliverability

Without DKIM, spam filters are more likely to reject or flag your emails as suspicious. Major email providers strongly prefer DKIM-signed messages.

Proves email integrity

DKIM cryptographically proves your emails haven't been modified during transmission. This prevents attackers from tampering with message content.

Required for DMARC

DMARC policies rely on DKIM (or SPF) passing. Without DKIM, your DMARC protection is weaker and less effective against spoofing.

Email providers require it

Gmail, Yahoo, and other major providers increasingly require DKIM for bulk senders. Missing DKIM can result in rejected emails.

Implementation

How to enable DKIM

With Httpeace

Httpeace automatically checks for valid DKIM signatures:

  • Add your domain to Httpeace
  • We check for DKIM records automatically every day
  • Get instant alerts if DKIM appears to be misconfigured or missing
  • See provider-specific setup instructions in your dashboard

Without Httpeace

Manual DKIM setup requires coordination with email providers and DNS configuration:

# Check for DKIM records (need to know selector)
dig TXT selector._domainkey.yourdomain.com

# Send test email and check headers
# Look for DKIM-Signature header
# Look for "dkim=pass" in authentication results

# Use online checkers
# Visit: https://www.mail-tester.com/

You'll need to:

  • Enable DKIM at your email provider (Google Workspace, Microsoft 365, etc.)
  • Navigate to DKIM settings in provider dashboard (different for each)
  • Generate DKIM keys through provider interface
  • Copy DNS record values (TXT or CNAME) provided by email service
  • Add DKIM records to your DNS with correct selector subdomain
  • Understand selector naming convention (varies by provider)
  • Wait 24-48 hours for DNS propagation
  • Return to provider dashboard and verify DKIM is active
  • Send test emails and check headers for DKIM-Signature
  • Verify "dkim=pass" in email authentication results
  • Set up DKIM for each email sending service (transactional, marketing)
  • Monitor DKIM daily to ensure keys remain valid
  • Handle DKIM key rotation when providers update keys
  • Maintain multiple DKIM selectors for different services
  • Debug DKIM failures by examining signature headers and DNS records

DKIM configuration is provider-specific and error-prone. Wrong DNS records, missing selectors, or key rotation issues cause silent authentication failures that hurt deliverability without obvious error messages.

FAQ

Frequently asked questions

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to email headers. The signature is created using a private key (kept by your email server) and verified using a public key (published in DNS). This proves the email came from your domain and wasn't modified.

What is a DKIM selector?

A DKIM selector is a string that identifies which DKIM key to use. You might have multiple selectors for different email providers or rotation. The selector appears in DNS as "selector._domainkey.yourdomain.com" and in email headers as "s=selector".

Can I have multiple DKIM records?

Yes! Unlike SPF, you can have multiple DKIM selectors, each with its own key pair. This is useful when sending from multiple email services (e.g., Google Workspace + Mailchimp), or for key rotation.

How often should I rotate DKIM keys?

Best practice is to rotate DKIM keys annually or when keys may be compromised. However, many organizations use the same DKIM keys for years without issues. Key rotation requires coordinating DNS updates with your email provider.

How does Httpeace check DKIM?

We check for the presence of DKIM records at common selectors used by popular email providers. We verify the records are properly formatted and contain valid public keys. We alert you if DKIM appears to be misconfigured or missing.

Related checks

Other checks in this category

SPF Configuration

Prevent spammers from forging your domain with SPF records.

DMARC Policy

Protect against email spoofing with DMARC authentication.

Domain Reputation

Stay off blacklists and maintain deliverability.

MX Records

Ensure emails can reach your domain.

View all Email & Reputation checks

Peace of mind for your domains.

Start monitoring today and prevent outages, hacks, and costly mistakes.

Audit your domain — it's freeTalk to us