DKIM Signature
Also known as: DomainKeys Identified Mail, DKIM
DKIM is an email authentication standard that adds a cryptographic signature to each outbound message. The sending server signs the message with a private key; the receiver looks up the matching public key in a DNS TXT record at `<selector>._domainkey.<domain>` and verifies the signature. A valid DKIM signature proves the message body was not tampered with in transit and that the sender's domain authorised the message.
Where SPF authorises sending IPs, DKIM authorises sending bodies. The signature is added as a `DKIM-Signature` header on the outbound message. The header includes the domain, the selector, and a hash of the message body and selected headers, signed with the domain's private key. The receiver retrieves the public key from DNS, recomputes the hash, and checks that the signatures match.
Why DKIM matters
Receivers (Google, Microsoft, Yahoo) use DKIM as one signal in inbox placement decisions. Microsoft, Yahoo, and Google's February 2024 bulk-sender rules require DKIM-signed mail for senders sending more than 5,000 messages per day to their consumer addresses. Cold outbound that does not DKIM-sign at scale lands in spam or gets rejected.
DKIM also enables DMARC alignment. DMARC checks that the domain in the DKIM signature matches the visible From domain. Without DKIM, DMARC alignment falls back to SPF only, which is weaker.
Common mistakes
- Missing or unrotated keys. Best practice is to rotate keys at least annually. Old keys left in DNS provide an attack surface.
- Short keys. 1024-bit keys are now considered weak. 2048-bit is the modern minimum.
- Body modification. Adding a footer or signature after DKIM is computed invalidates the signature. Some mailing-list software does this and breaks DKIM.
Related reading
Frequently asked questions
What is a DKIM selector?+
An arbitrary label that lets a domain publish multiple DKIM keys at once. `google._domainkey.example.com` and `mailgun._domainkey.example.com` can both exist on the same root domain, one for each sending service.
Does Outsolvi modify outbound bodies?+
No. Outsolvi tracking embeds a 1x1 pixel and rewrites links for click attribution. Both modifications happen before the message is signed, so DKIM signing by the sending platform happens on the final body and the signature stays valid.
Put this concept into practice
Free tools, articles, and features on this same topic.
Related glossary terms
Want accurate tracking that handles DKIM Signature?
Outsolvi tracks Outlook and Gmail with Tier 1 to 5 confidence scoring on opens, hot-lead detection, and AI reply sentiment at $7/user/mo billed yearly. 14-day free trial, no credit card.
Start 14-Day Free TrialNate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.
We update these pages when the underlying mechanics change. new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.