🚧 DRAFT — work in progress. Nothing here is final; content and features are still being built.
Shipshape

WTF Series

WTF is DKIM?

A digital signature baked into your email headers that proves the message wasn't tampered with in transit.

The real explanation

DKIM stands for DomainKeys Identified Mail. When you send an email, your sending server creates a cryptographic signature using a private key and attaches it to the email headers. The receiving server looks up your public key (published in DNS) and verifies the signature matches. If it does, the email is authentic and unchanged.

Unlike SPF, DKIM survives forwarding. When someone forwards your email, SPF breaks because the forwarding server isn't in your SPF record. But the DKIM signature stays intact because it's part of the message itself. That's why DKIM is critical for DMARC alignment when emails get forwarded.

Most ESPs handle DKIM signing automatically, but here's what they don't always tell you: the default setup often signs with the ESP's domain, not yours. For DMARC alignment, you need custom DKIM signing with your own domain. That usually means adding a CNAME record to your DNS that points to your ESP's DKIM key.

Show me an example

You switch ESPs and forget to set up custom DKIM for your domain. Your emails are now signed with a key under the ESP's domain (something like dk1234._domainkey.espname.com). SPF might pass, but DKIM doesn't align with your From domain. If your DMARC policy requires DKIM alignment, those emails fail. Your open rates tank and you blame the new ESP's "deliverability" when it's actually a DNS record you forgot.

Who handles this?

Sigilthe Signaler

Sigil covers authentication (spf/dkim/dmarc/bimi).

Go deeper

Read more in the Email Almanac: DKIM in the Almanac

Related entries

Share this
© 2026Review My Emails. Confidential & proprietary — unreleased draft. Unauthorized copying, reproduction, or distribution of this site or its contents is prohibited. All rights reserved.