NuStart Email Trust Series — Post 3 of 10
DKIM Explained as part of my guide to email deliverability, a topic that is full of acronym soup—SPF, DKIM, DMARC, TLS—and most small businesses don’t have time to become part-time email engineers. In this series, I translate the geeky jargon into plain-English concepts and simple actions. You run the business; I’ll do the nerding.
What is DKIM?
DKIM stands for DomainKeys Identified Mail. It adds a cryptographic “signature” to outgoing email so receiving mail systems can verify two things:
- Authenticity: The email really came from a sender authorized by your domain.
- Integrity: The message wasn’t altered (“tampered with”) while in transit.
If SPF is the “who is allowed to send” list, DKIM is the “prove this message is legit” signature.

Why DKIM matters for small businesses
DKIM is one of the most practical trust signals you can enable because it:
- improves inbox placement (especially with Gmail/Outlook)
- reduces “this message looks suspicious” warnings
- supports DMARC alignment (which is what actually stops spoofing)
- helps when messages are forwarded (SPF can fail in forwarding scenarios; DKIM often survives)
It’s a foundational piece of “email trust.”
How DKIM works (plain English)
DKIM uses a matched pair of keys:
- Private key: stored by your email provider/sending service (used to sign messages)
- Public key: published in your DNS (used by receivers to verify the signature)
When your email is sent, the sender adds a DKIM signature header. The recipient checks DNS for your public key and confirms the signature matches the message content.
If it matches: DKIM passes.
If it doesn’t: DKIM fails (common causes: misconfiguration or message modification).
What a DKIM DNS record looks like
DKIM is published as a DNS TXT record on a selector subdomain, like:
selector1._domainkey.yourdomain.com
The TXT value contains your public key, typically starting with:
v=DKIM1; k=rsa; p=...
You do not manually “write” the public key—your provider generates it and tells you what to add.
What is a “selector”?
A selector is just a label (like google, selector1, s1, mail) that lets you have multiple DKIM keys active at once. This is normal and helpful—especially when you use multiple sending platforms.
DKIM + DMARC: the relationship that matters
DMARC doesn’t just ask “did SPF or DKIM pass?” It asks:
- did SPF and/or DKIM pass and align with the visible From: domain?
That means DKIM is often the cleanest way to ensure DMARC passes for third-party tools (CRMs, marketing platforms, ticketing systems) that send on your behalf.
Step-by-step: enabling DKIM safely
Step 1: Identify who sends email for your domain
Make a list of all senders:
- Google Workspace or Microsoft 365
- newsletter platform
- CRM
- website/transactional sender (forms, WooCommerce receipts)
- any automation tool that sends email as you
Step 2: Enable DKIM in your mailbox provider
This is usually a toggle/guided setup in your provider’s admin panel:
- Provider generates DKIM keys
- You add the provided DNS record(s)
- You click “Start authentication” / “Enable DKIM”
Step 3: Add DKIM for third-party platforms
Many platforms support either:
- Signing with your domain (best), or
- Signing with their domain (still helpful, but may not align with DMARC unless configured carefully)
If the platform offers a “domain authentication” setup, it usually includes DKIM records.
Step 4: Verify DKIM is passing
Send a test email to a Gmail address and check “Show original.” You’re looking for:
- DKIM: PASS
- and later, once DMARC is in place, DMARC: PASS
Common DKIM mistakes (and how to avoid them)
1) DKIM enabled in the provider, but DNS never added (or added wrong)
If DNS isn’t correct, DKIM will fail. This is the most common issue.
2) Editing the DKIM record incorrectly
DKIM keys are long. Copy/paste errors and extra spaces can break them.
3) Multiple senders, but only one DKIM set up
If you use a CRM/newsletter tool and only enable DKIM in Google/M365, those third-party messages may fail DMARC later.
4) Website forms sending “from” your domain without proper signing
Many form emails originate from the web server, not your mailbox provider. That’s why form deliverability is often flaky unless routed through an authenticated sender.
DKIM best practices (simple and realistic)
- Use 2048-bit keys if your provider supports it (most do; it’s the modern standard). I have found that clients still using 1024-bit keys do have more deliverability problems
- Keep DKIM keys per sender (separate selectors are normal).
- Document what each selector is for (future you will thank you).
- Plan for rotation (keys can be changed; selectors make this safer).
Quick DKIM checklist
- DKIM is enabled for your primary mailbox provider (Google/M365)
- Required DKIM TXT record(s) exist in DNS
- All major sending platforms are authenticated (newsletter/CRM/transactional)
- Test email headers show DKIM=pass
- You know what each selector corresponds to
DKIM FAQs
Is DKIM required?
Does DKIM encrypt email?
Can I have multiple DKIM records?
What happens if DKIM fails?
Why does DKIM sometimes fail after forwarding?
What is a DKIM selector, again?
s1._domainkey). It allows key rotation and multiple senders.Do I need DKIM for website forms?
Can DKIM improve deliverability by itself?
Want NuStart to handle this for you?
If you’d rather not wrestle with DNS records, alignment, and testing, NuStart can audit your current setup and implement a clean, reliable Email Trust configuration end-to-end. Request an Email Trust Audit today to get started.
Up next
Next: Post 4 — DMARC Made Simple – How to stop spoofing without breaking your email
