> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sendkit.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# DKIM

> Learn how DKIM digitally signs your emails to prove authenticity and prevent tampering.

## What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication protocol that adds a **digital signature** to every email you send. This signature lets the recipient's mail server verify two things:

1. The email actually came from the claimed domain
2. The email content wasn't modified in transit

Think of it like a tamper-proof seal on a package. If anyone opens the package and changes the contents, the seal breaks.

## How DKIM works

DKIM uses **public key cryptography**. There are two keys:

* **Private key** — kept secret on SendKit's servers. Used to sign each email.
* **Public key** — published in your DNS as a TXT record. Used by recipients to verify the signature.

Here's what happens when you send an email:

<Steps>
  <Step title="You send an email through SendKit">
    SendKit creates a hash of the email headers and body.
  </Step>

  <Step title="Signing">
    The hash is encrypted with your domain's private key, and the encrypted hash (signature) is added to the email header.
  </Step>

  <Step title="Recipient receives the email">
    The recipient's mail server looks up the public key in your DNS at `sendkit._domainkey.yourdomain.com`.
  </Step>

  <Step title="Verification">
    The server decrypts the signature using the public key and creates its own hash of the received email.
  </Step>

  <Step title="Result">
    If the hashes match — **DKIM pass**. If they don't — **DKIM fail** (the email was tampered with in transit).
  </Step>
</Steps>

## The DKIM signature header

When DKIM signs an email, it adds a `DKIM-Signature` header. Here's what it looks like:

```
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=acme.com; s=sendkit;
  h=from:to:subject:date:message-id;
  bh=abcdef123456...;
  b=xyz789...
```

| Field | Meaning                                                       |
| ----- | ------------------------------------------------------------- |
| `v`   | Version (always `1`)                                          |
| `a`   | Signing algorithm (`rsa-sha256` is standard)                  |
| `c`   | Canonicalization — how the email is normalized before hashing |
| `d`   | The signing domain (your domain)                              |
| `s`   | The selector — identifies which key to look up in DNS         |
| `h`   | The headers that were signed                                  |
| `bh`  | Hash of the email body                                        |
| `b`   | The actual signature                                          |

## DKIM with SendKit

When you add a domain in SendKit, we generate a unique DKIM key pair for your domain. You publish the public key as a DNS record:

| Field     | Value                                 |
| --------- | ------------------------------------- |
| **Type**  | TXT                                   |
| **Name**  | `sendkit._domainkey.yourdomain.com`   |
| **Value** | `v=DKIM1; k=rsa; p=<your-public-key>` |
| **TTL**   | 3600                                  |

The `sendkit` part is the **selector**. It tells receiving servers which public key to use when verifying the signature. A domain can have multiple selectors for different services.

<Note>
  The public key is unique to your domain and generated by SendKit. Always copy it from the domain detail page — don't try to create your own.
</Note>

## Selectors

A selector is a label that points to a specific DKIM key. It's part of the DNS record name:

```
<selector>._domainkey.yourdomain.com
```

Selectors allow you to have multiple DKIM keys for the same domain. For example:

| Selector                      | Service          |
| ----------------------------- | ---------------- |
| `sendkit._domainkey.acme.com` | SendKit          |
| `google._domainkey.acme.com`  | Google Workspace |
| `s1._domainkey.acme.com`      | Marketing tool   |

Each service has its own key pair and selector. They don't interfere with each other.

## Key rotation

DKIM keys should be rotated periodically to maintain security. If a private key is ever compromised, an attacker could sign emails that pass DKIM verification.

Key rotation involves:

1. Generating a new key pair
2. Publishing the new public key in DNS (with a new selector or same selector)
3. Switching to the new private key for signing
4. Removing the old public key after a transition period

<Info>
  SendKit handles key management for you. If key rotation is needed, we'll notify you with instructions to update your DNS record.
</Info>

## Common DKIM issues

| Problem        | Cause                       | Fix                                                                                                            |
| -------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- |
| DKIM none      | No DKIM signature found     | Ensure the email is being sent through SendKit (not directly)                                                  |
| DKIM fail      | Signature doesn't match     | Check that the DNS record value matches exactly what SendKit provided. Some DNS providers add extra characters |
| DKIM permerror | Public key not found in DNS | Verify the TXT record exists at the correct name (`sendkit._domainkey.yourdomain.com`)                         |
| DKIM temperror | DNS timeout                 | Usually transient. Check your DNS provider's status                                                            |

### DNS record formatting issues

Some DNS providers have trouble with long TXT records. DKIM public keys are long strings, and some providers:

* **Truncate the value** — make sure the full key is saved
* **Add quotes incorrectly** — the value should not include extra quotes beyond what your provider requires
* **Split into multiple strings** — some providers automatically split long TXT records. This is fine as long as the full value is preserved

## FAQ

<AccordionGroup>
  <Accordion title="Does DKIM encrypt my emails?">
    No. DKIM **signs** your emails — it proves authenticity and integrity. It does not encrypt the content. For encryption in transit, see [TLS](/academy/security/tls).
  </Accordion>

  <Accordion title="Can I use the same DKIM key for multiple domains?">
    Technically yes, but it's not recommended. Each domain should have its own key pair for better security and isolation. SendKit generates a unique key for each domain you add.
  </Accordion>

  <Accordion title="What happens if I change DNS providers?">
    You need to re-add the DKIM TXT record at your new DNS provider. The record name and value stay the same — just copy them from the SendKit domain detail page.
  </Accordion>
</AccordionGroup>
