DKIM (DomainKeys Identified Mail)
A cryptographic signature added to your outgoing email that proves the message really came from your domain and wasn't tampered with.
In plain English
DKIM is like a wax seal on a letter. Your mail server signs each message with a private key; the matching public key is published in your DNS. The receiver checks the seal — if it matches and is unbroken, the message is genuinely yours and hasn't been altered in transit.
It's one of the three email-authentication signals (with SPF and DMARC) that together decide whether you land in the inbox or the spam folder.
How to fix / set it up
- Turn on DKIM in your email provider's admin panel.
- Publish the public-key TXT record it gives you at the selector it specifies.
- Send a test message and confirm DKIM passes; rotate any 1024-bit key to 2048-bit.
The technical detail
The public key lives at <selector>._domainkey.yourdomain.com as a TXT record; the selector is chosen by your provider (e.g. google, selector1). Use a 2048-bit RSA key or Ed25519 — 1024-bit is the weak legacy default.
t=y marks a key as testing (receivers may ignore it); an empty p= revokes the key.
FAQ
Why can't a tool find my DKIM automatically?
DKIM is selector-based, so there's no fixed location — you (or your provider) choose the label. Enter your selector, or let the checker probe the common ones.
What key size should I use?
2048-bit RSA or Ed25519. 1024-bit is being deprecated by major receivers.