DomainKeys Identified Mail (DKIM ) is another method (like Sender Policy Framework) for associating a domain name with an e-mail. In essence the sender adds headers containing details of the e-mail and the originating domain signed using asymmetric cryptography.

The receiver then accesses the corresponding public key of the sender by looking it up using the Domain Name System and uses it to verify that the e-mail actually originated from them. Since the private and public keys are uniquely associated and effectively un-crackable at the current state of knowledge provided they are sufficiently long (at time of writing, the move is towards 2048bit keys), this uniquely associates the sender with the email. Unlike SPF, DKIM incorporates knowledge of the message body and is therefore complementary to SPF, but more difficult to implement.

It is an unquestionably beneficial technique but as with all sender verification techniques, it is undermined if spammers gain control of a protected machine and use it for relaying spam.

So what does this mean to the legitimate emailer? 

Same treatment as SPF - if in doubt, leave them out!


DKIM can either be correct and installed, incorrect and installed or not installed. Of these, incorrect and installed has the largest negative impact.

The SendForensics Email Deliverability Suite comprehensively analyses DKIM implementations informing you, in advance, the precise impact they will have on your email campaigns (and detailed instructions on how to set them up for optimal results).