Crawlsonar
Email

DKIM (DomainKeys Identified Mail)

A cryptographic signature added to your outgoing email that proves the message really came from your domain and wasn't tampered with.

In plain English

DKIM is like a wax seal on a letter. Your mail server signs each message with a private key; the matching public key is published in your DNS. The receiver checks the seal — if it matches and is unbroken, the message is genuinely yours and hasn't been altered in transit.

It's one of the three email-authentication signals (with SPF and DMARC) that together decide whether you land in the inbox or the spam folder.

How to fix / set it up

  1. Turn on DKIM in your email provider's admin panel.
  2. Publish the public-key TXT record it gives you at the selector it specifies.
  3. Send a test message and confirm DKIM passes; rotate any 1024-bit key to 2048-bit.

DKIM Checker

The technical detail

The public key lives at <selector>._domainkey.yourdomain.com as a TXT record; the selector is chosen by your provider (e.g. google, selector1). Use a 2048-bit RSA key or Ed25519 — 1024-bit is the weak legacy default.

t=y marks a key as testing (receivers may ignore it); an empty p= revokes the key.

FAQ

Why can't a tool find my DKIM automatically?

DKIM is selector-based, so there's no fixed location — you (or your provider) choose the label. Enter your selector, or let the checker probe the common ones.

What key size should I use?

2048-bit RSA or Ed25519. 1024-bit is being deprecated by major receivers.

Related

← All topics in the knowledge base