arrobaMail
Deliverability · Authentication

DKIMyour digital signature

DomainKeys Identified Mail

DomainKeys Identified Mail adds a cryptographic signature to the header of every email you send. The receiving server verifies that signature against a public key published in your DNS. If it matches, the email is authentic and hasn't been altered.

arrobaMail · DeliverabilityDKIM
Concept

What is DKIM and how does it work?

DKIM (DomainKeys Identified Mail), defined in RFC 6376, uses public-key cryptography. When a sending server sends an email, it signs it with a private key that only it holds.

The receiving server takes the signature (included in an email header), looks up the public key in your domain's DNS (in a specific TXT record), and verifies that the signature is valid.

If the signature validates, two things are proven: (1) the email was actually sent by someone with access to your domain's private key, and (2) the content wasn't altered along the way.

Anatomy

Anatomy of a DKIM record

Real example

arroba2026._domainkey.tudominio.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb..."
arroba2026._domainkey

Selector

Identifies this specific key. A single domain can have several active keys with different selectors. arrobaMail assigns one automatically.

v=DKIM1

Version

Indicates this is a DKIM version 1 record.

k=rsa

Algorithm

rsa is the most common. Some providers also support ed25519. arrobaMail uses RSA 2048-bit.

p=MIGfMA0...

Public key

The public key in base64. This is what receivers use to verify the signature. The private key is never published.

Step by step

How to set it up correctly

Steps in order. Skipping one usually leads to problems that take days to diagnose.

  1. 01

    Generate the key pair

    In arrobaMail, this step is automatic: when you add your domain as a sender, we generate the RSA pair and give you the selector and the public key ready to publish.

  2. 02

    Publish the TXT record in your DNS

    Create a TXT record in your DNS with Name = arroba2026._domainkey (or the selector we gave you) and Value = v=DKIM1; k=rsa; p=...

    Tip: Many DNS providers truncate strings longer than 255 characters. Make sure to paste it as a single string or use the multi-string syntax your provider supports.

  3. 03

    Wait for propagation

    Like SPF, it takes anywhere from minutes to hours depending on your DNS's TTL. Until it propagates, the signature won't validate.

  4. 04

    Enable the signature in arrobaMail

    Once the publication is verified, you enable DKIM in the sender's settings. From that point on, every email we send on your behalf carries the signature.

  5. 05

    Monitor validation

    In the first few days, check the reports to confirm receivers are validating OK. If you have DMARC with rua=, the reports will show dkim=pass.

Common mistakes

What breaks often (and how to fix it)

Key truncated when pasted into DNS

Some DNS providers cut the TXT value off at 255 characters and only save the initial part. Verification fails because the key ends up incomplete.

How to fix it: Check with dig that the published TXT has the same length as the original. If not, split it into several quoted strings following your provider's syntax.

Misspelled selector

A typo in the selector (e.g. arroba2026 vs arroba_2026) makes the receiver look up a key that doesn't exist, and the signature fails.

How to fix it: Copy the exact selector we gave you in arrobaMail, without adding or removing characters.

More than one DKIM record with the same selector

If you publish two TXT records with the same selector, receivers can't decide which one to use.

How to fix it: Remove the old one before publishing the new one. If you need to rotate, use a different selector.

Never rotating keys

DKIM keys are ideally rotated every 6-12 months as a security best practice.

How to fix it: Schedule periodic rotation and document which selector is active with each provider.

Verification

How to confirm it's set up right

Three ways to check — from your terminal or online tools. If all of them return OK, you're done.

01

Linux/Mac terminal

dig TXT selector._domainkey.tudominio.com +short

Returns the DKIM record if it's published correctly.

02

Test email to Gmail

Headers > Show original > DKIM

Shows "dkim=pass [email protected]".

03

Online

mxtoolbox.com/dkim.aspx

Selector diagnostics + signature validation.

How arrobaMail handles it

arrobaMail automatically generates the DKIM key pair when your domain is validated, shows you the exact TXT record to publish, and monitors verification.

Frequently asked questions

What people ask most about DKIM

As many as the distinct selectors you use. It's common to have one per provider (one for arrobaMail, another for Google Workspace, another for your CRM), each with its own unique selector.

It depends on the DMARC policy. Without DMARC, the receiver decides case by case (usually relaxing the filter toward spam). With DMARC set to p=quarantine or p=reject and strict alignment, it is rejected.

Yes. The public key is exactly that: public. It only serves to verify signatures, not to create them. The private key never leaves the sending server.

Yes. The signature covers the defined headers and the entire message body, including attachments. Any modification in transit invalidates the signature.

RSA 2048-bit is the standard and universally supported option. Ed25519 is more modern and faster but still less widely supported. At arrobaMail we use RSA 2048 for compatibility.

Get started with arrobaMail
in under 5 minutes.

Free plan, AI generations included, no credit card required — and real support from a real team.

Try it free now
WhatsAppOur team replies