Defaults.Exposed › Fixes › DKIM

How to fix DKIM

DKIM is the invisible tamper-proof seal on every email your business sends. It lets the receiving mail provider confirm the email genuinely came from you and arrived unchanged. Without it, your mail is easier to fake, easier to alter, and far more likely to land in spam.

Bottom line for your business: Without DKIM, the emails you send can be tampered with in transit, are easier for criminals to impersonate, and are more likely to be filtered into spam or rejected outright — quietly costing you deals, payments, and trust you never know you lost.

What this can cost you

An invoice you emailed gets intercepted and the bank details are changed before it reaches your customer. The email still looks like it came from you, the customer pays the criminal, and when it unravels you're the one who gets blamed.
Your genuine quotes, contracts and invoices keep landing in customers' spam folders. You assume the client went quiet or chose someone else — but they simply never saw your email.
A larger client's security or procurement team runs a quick check on your domain before signing, sees no DKIM, and either pushes the deal back weeks until you fix it or quietly picks a competitor who passed.
A criminal sends convincing fake emails 'from your company' to your own customers. Because nothing proves which emails are really yours, the fakes are just as believable as the real thing — and your name takes the damage.
Major mailbox providers and banks increasingly treat unsigned mail as suspicious. Over time more of your everyday business email gets throttled, junked, or bounced, and your outreach slowly stops working.

Why it matters. Email was never built to prove who sent it, and faking the sender is trivially easy. DKIM adds a cryptographic signature that the receiving provider checks automatically — confirming the message is genuinely from your domain and hasn't been altered on the way. It's one of the three things every modern mail provider looks for, it directly affects whether your email is trusted or junked, and the fix is free.

What this is, in plain words

Every email your business sends travels through several hands before it reaches the inbox. By itself, an email carries no proof of who really sent it or whether anyone changed it along the way — the “from” line is just text anyone can type.

DKIM fixes that. It puts an invisible, tamper-proof seal on each message your business sends. When the email arrives, the receiving mail provider checks the seal against a key you publish on your domain. If it matches, the provider knows two things for certain: the email genuinely came from your domain, and not a single character was changed in transit. If it doesn’t match — because the message was faked or altered — the seal fails, and the provider treats the mail with suspicion.

You don’t manage any of this by hand. Once it’s switched on, the signing and checking happen automatically on every email, forever. The whole point of DKIM is to make your real mail provably real — so it gets trusted, and so fakes stand out.

What this can cost you

This isn’t abstract. Here’s what a missing or weak DKIM seal looks like in practice for a small or medium business.

The altered invoice. You email a customer an invoice. Somewhere between your server and theirs, an attacker intercepts it and swaps your bank details for their own. The email still appears to come from you, the customer pays — into the criminal’s account. Without DKIM, there’s nothing to flag that the message was tampered with. With it, that quiet alteration breaks the seal and gets caught.
The deals that died in spam. Your quotes, proposals and follow-ups keep slipping into customers’ junk folders. You never hear back and assume they weren’t interested. In reality, unsigned mail is a strong spam signal — your genuine business email simply wasn’t seen.
The lost contract. A bigger client’s procurement or security team vets your domain before they’ll sign. They see no DKIM and treat it as a red flag — either delaying the deal for weeks while you fix it, or quietly choosing a supplier whose email security checked out.
Your name used against your own customers. A scammer blasts out convincing emails “from your company” to your customer base. Because nothing proves which messages are truly yours, the fakes look as legitimate as the real thing — and it’s your reputation that takes the hit when people get burned.
Slow strangulation of your email. Banks, big mailbox providers and corporate filters increasingly distrust unsigned mail. The effect creeps in over time: more throttling, more junking, more bounces — until your everyday outreach quietly stops landing.

What it actually is

DKIM stands for DomainKeys Identified Mail. Here’s how the seal works, without the jargon:

You publish a public key on your domain (in your DNS settings). Anyone can read it — that’s the point.
Your mail provider holds the matching private key and uses it to sign every email you send, adding a hidden header.
When the email arrives, the recipient’s provider fetches your public key, checks the signature against the message, and confirms it’s genuine and unaltered.

A few terms you may hear from your IT person:

Selector — a label pointing to one specific key, e.g. selector1._domainkey.yourdomain. It lets you run and rotate multiple keys cleanly. Your provider sets this up.
Key strength — DKIM keys come in sizes. The modern baseline is 2048-bit RSA; 4096-bit RSA or Ed25519 keys are stronger still. Older 1024-bit keys still function but are considered weak by today’s standards (NIST SP 800-131A / RFC 8301).

What “good” looks like: a valid DKIM key is published at a selector for your domain, your outgoing mail is being signed with it, and the key is 2048-bit or stronger. That’s the full pass.

A note on how this is scored. This check looks for a genuine, well-formed DKIM key published at the selectors mail providers commonly use. A published valid key is the positive signal — a third-party scanner can’t replay your live signatures, so the presence of a correct key is what’s measured. No key found fails the check (it’s a high-severity gap). A valid key that’s weak (1024-bit RSA) earns roughly half marks — it’s working but should be upgraded. A strong key (2048-bit RSA or better, or Ed25519) earns full marks. This is one of the email security checks that counts toward your grade, worth a meaningful share of it.

How to fix it (free, ~15 minutes)

This part is for whoever manages your email or domain — if that’s not you, hand them this section. The fix is free. We only charge to monitor that your protections stay healthy over time, not to set them up.

The general shape is the same everywhere: switch on DKIM in your email provider, take the key it generates, publish it in your DNS, then confirm it’s live. The exact steps depend on who runs your email — here are the common ones.

Google Workspace (Gmail)

Admin Console → Apps → Google Workspace → Gmail → Authenticate email.
Select your domain and click Generate new record (choose the 2048-bit key length).
Google gives you a DNS record. Add it at your DNS host as a TXT record, host google._domainkey.yourdomain, with the value Google provided.
Wait for it to propagate (minutes to a few hours), then return to the same screen and click Start authentication.

Microsoft 365 (Outlook / Exchange Online)

Go to the Microsoft Defender portal → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM.
Select your domain. Microsoft shows you two CNAME records to publish (selector1 and selector2).
Add both CNAME records at your DNS host exactly as shown.
Back in the DKIM screen, toggle DKIM signing to Enabled for the domain.

Zoho Mail

Control Panel → Email Authentication → DKIM.
Generate a key (use a selector like zoho), then add the provided TXT record at zoho._domainkey.yourdomain in your DNS.
Verify in the Zoho panel once the record is live.

Other providers / your own mail server The pattern is identical: the provider (or your mail software) generates a key pair, signs your outgoing mail with the private key, and gives you a public record to publish. It typically looks like:

Host:  selector1._domainkey.yourdomain
Type:  TXT (or CNAME, depending on provider)
Value: (the long key string your provider gives you)

Where DNS records are added: in your domain’s DNS settings — usually at your domain registrar or DNS host (e.g. Cloudflare, GoDaddy, your hosting control panel). If your email provider supplies a CNAME, it’s pointing to a record they host, so you never see the raw key — that’s normal and fine.

Confirm it works: send yourself a test email to a Gmail account, open it, choose Show original, and check that DKIM: PASS appears. Then re-check your domain here to confirm the key came through as 2048-bit or stronger, not a weak 1024-bit one.

Common mistakes

Assuming a big provider has it on by default. Plenty of domains on Google or Microsoft still need DKIM switched on and a record published. “We use Microsoft 365” is not the same as “DKIM is enabled.”
Generating a weak 1024-bit key. Some providers still default to or offer 1024-bit. Choose 2048-bit when given the option — a weak key only earns half marks and is flagged by stricter receivers.
Publishing the record but never enabling signing. Adding the DNS record is only half the job. If you don’t switch on signing in the provider (the final toggle), your mail still goes out unsigned.
Mistyping or truncating the key. DKIM keys are long. A copy-paste that drops a character or splits the value wrongly produces a broken seal that fails on every email. Paste the value exactly as given.
Forgetting your other senders. If you send mail through a newsletter tool, CRM, invoicing app or e-commerce platform, each may need its own DKIM key and selector. Sign mail from all the services that send on your behalf, not just your mailbox.

A note on DKIM, SPF and DMARC

DKIM rarely works alone. It’s one of three settings that together make your email trustworthy:

SPF says which servers are allowed to send mail for your domain.
DKIM (this page) is the tamper-proof seal proving a message is genuinely yours and unchanged.
DMARC is the instruction telling providers what to do with anything that fails — and it relies on DKIM and SPF to make that call.

If you’re fixing DKIM, it’s worth checking SPF and DMARC at the same time. Together they’re what stops your business from being impersonated and what keeps your real email landing where it should.

Set it up on your host

Step-by-step for popular providers:

FAQ

I'm not technical — is this something I can sort out myself?

You don't need to understand the cryptography. In most cases it's a setting you switch on inside your email provider (Google Workspace, Microsoft 365, Zoho, etc.), which then gives you one or two records to add to your domain. Hand the 'How to fix it' section to whoever manages your email or domain — it's a quick, free job, usually around 15 minutes.

Will turning on DKIM risk breaking my email?

Adding DKIM correctly is safe — it doesn't change how your mail is sent, it just adds a signature recipients can verify. The one thing to get right is to publish the key your provider generates exactly as given, and to enable signing only after the record is live in DNS. Done in that order, there's no disruption to you or your customers.

We already use a big provider like Google or Microsoft — aren't we covered automatically?

Not always. Big providers make DKIM easy, but for many domains it still has to be switched on and a record added to your DNS — it isn't always on by default. That's exactly why a domain on a major provider can still fail this check. It takes a few minutes to confirm and enable.

What's the difference between DKIM, SPF and DMARC? Do I need all three?

Think of them as a set. SPF lists which servers are allowed to send mail for you. DKIM is the tamper-proof seal that proves a message is genuinely yours and unchanged. DMARC is the instruction that tells providers to block anything failing those checks. They work best together — DMARC in particular leans on DKIM to do its job — so yes, you want all three.

My IT person says DKIM is 'on' — how do I know it's actually working and strong enough?

Two things matter: that a valid signature is being published at a selector for your domain, and that the key behind it is strong (2048-bit RSA or better). An older 1024-bit key still works but is considered weak by modern standards and is treated as a partial pass here. Re-running a check on your domain confirms both at once.

What is a 'selector' and why does it matter?

A selector is just a label that points to one specific DKIM key in your DNS — it lets you run more than one key at a time (for example, one for your mailbox and one for your newsletter tool) and rotate keys safely. You don't manage it by hand; your provider creates the selector and tells you the record to publish. It only matters here because the check looks for a valid key at the selectors mail providers commonly use.