© Crown copyright 2016
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: email@example.com.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/email-security-standards/domainkeys-identified-mail-dkim
What is DKIM?
DomainKeys Identified Mail (DKIM) verifies the domain an email came from and helps show that it hasn’t been tampered with in transit. The receiving email service can then filter out email that fails the DKIM check.
To do this DKIM uses public and private keys. The public key is published in your DNS record, and your private key is used to sign outbound email. The recipient can then check that the signature on the email they receive matches your public key. A matching signature shows the message came from that domain and hasn’t been altered along the way.
Modern cloud-based email services will check for DKIM signatures on inbound email. If the email service doesn’t check for DKIM the email will always get delivered.
An example rule would look for messages that fail the DKIM check and mark them as spam.
This diagram shows how DKIM works: