DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to every outgoing message. The receiving mail server reads the signature, looks up your DKIM public key in DNS, and verifies that the email actually came from your domain and was not altered in transit. If the signature matches, the message passes a critical trust check. If it fails or is missing, the message is treated as suspicious.

DKIM is set up by publishing a DNS TXT record containing the public key, usually at a selector like google._domainkey.yourdomain.com. Your mail provider — Google Workspace, Microsoft 365, SendGrid, or a cold email tool — generates the key pair, signs outgoing mail with the private key, and tells you what to publish in DNS. Done correctly, DKIM is nearly invisible: email just starts landing.

The common failure modes are boring and painful. A typo in the DNS value (a missing character or added whitespace) breaks every outgoing message from that domain. Not rotating keys when a provider recommends it leaves you signing with a known-weak key. Adding a new sending tool without configuring its DKIM leaves that tool’s traffic unsigned, which quickly tanks your domain reputation. A proper cold outbound setup publishes DKIM for every legitimate sending path, verifies each one, and monitors authentication reports.

When the term matters

DKIM matters whenever you send cold outbound from a domain — even more for outbound than for transactional email, because inbox providers apply stricter filters to unsolicited mail. If your DKIM is missing or misconfigured, even a perfectly written, well-targeted cold email will land in spam. It is a prerequisite, not a performance lever.

Related concepts

DKIM is one-third of the email authentication trio alongside SPF and DMARC. Together they form the foundation that email warmup and domain reputation build on.