DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email that recipients can verify via DNS. This makes it possible to establish that the mail really comes from your domain and has not been altered in transit.

DKIM in practice

Where SPF looks at the sending server, DKIM protects the content of the message itself. The signature also survives forwarding through intermediate systems — something SPF stumbles over. That is why the rule is: SPF and DKIM together, not one or the other.

In practical terms, setting it up means: enabling DKIM signing in Microsoft 365 or Google Workspace and publishing the associated keys as a DNS record — and doing the same for external tools that send mail on behalf of your domain. Round it off with a DMARC policy, otherwise verification remains non-binding.

Related terms

  • SPF — SPF (Sender Policy Framework) is a DNS record that sets out which mail servers are allowed to send email on behalf of your domain.
  • DMARC — DMARC is the policy on top of SPF and DKIM: it tells receiving mail servers what to do with mail that does not pass the checks — simply deliver it (none), quarantine it or reject it (reject) — and sends reports on who is mailing on behalf of your domain.
  • DNS — DNS (Domain Name System) is the system that translates domain names into the servers behind them: it determines where your website loads and where email for your domain is delivered.

Further reading

Part of the RiverFlows glossary · Updated . Missing a term? Let us know.