What is DKIM?
DKIM (DomainKeys Identified Mail) is a method that associates domain names with email addresses. This allows validation of the authenticity of email senders.
DKIM is based on asymmetric encryption. The sending email server generates a message header with a cryptographic signature of the message content, which the receiving server verifies using a public key registered in the domain’s DNS. If the calculated hash and the one contained in the email signature match, it can be assumed that the message comes from the genuine sender. Furthermore, it can be assumed that the message text has been transmitted unchanged to the recipient.
hosting.fr mail servers sign all messages under the “mailerdienst.de” domain by default.
Complete documentation on DKIM is available at opendkim.org.
What DKIM proves, and what it does not
DKIM (DomainKeys Identified Mail) allows a receiving mail system to verify two things about an email message: who took responsibility for signing it and whether the message content was modified in transit. The sending system adds a DKIM signature to the message headers. The receiving system then retrieves the public key from DNS and checks whether the signature matches the message content. If it matches, the recipient can trust that the message body and relevant headers were not altered after signing.
It is essential to set expectations correctly. DKIM does not encrypt email. Messages can still be readable by intermediaries unless encryption is used separately (for example, TLS in transit or end-to-end encryption). DKIM also does not guarantee that the human-readable “From” name is trustworthy on its own; it validates cryptographic signatures, not user intent. Finally, DKIM alone does not prevent all spoofing scenarios; its strength increases significantly when combined with DMARC, which defines what should happen when authentication fails and requires alignment with the visible sender domain.
DKIM, SPF, and DMARC: how they work together
DKIM is one component of modern email authentication. Most organizations implement DKIM alongside SPF and DMARC because each mechanism addresses different aspects of trust and enforcement.
- SPF checks whether the sending server is authorized to send on behalf of a domain by validating the sending IP address against a policy published in DNS.
- DKIM checks whether the message was signed by a domain that publishes a matching public key in DNS, and whether the message content remained intact after signing.
- DMARC ties these signals to the visible “From” domain and defines an enforcement policy (for example, monitor, quarantine, or reject) when authentication fails.
In practical terms: SPF verifies the sending path, DKIM verifies message integrity and signing responsibility, and DMARC defines alignment and enforcement. Using DKIM without DMARC often improves deliverability, but it does not provide a consistent enforcement stance for receivers. Using all three creates a more complete authentication posture and makes your domain harder to misuse for spoofing or phishing.
DKIM alignment and why your “signing domain” matters
A common source of confusion is that the domain used for DKIM signing (the “d=” value in the DKIM signature) may not always match the domain shown in the visible “From” address. In the context described in the article, messages may be signed by default using a different domain (for example, a service domain used by the mail system). This is not inherently “wrong,” but it is essential to understand the implications for deliverability and policy.
Alignment matters most when DMARC is used. DMARC expects that either SPF or DKIM aligns with the domain in the “From” header. Alignment means the authenticated domain matches (or is closely related to) the visible sender domain. If your emails are signed under a different signing domain, DKIM may still validate, but DMARC alignment may fail depending on configuration and the receiver’s checks. The practical impact can be increased spam placement or rejection at stricter receivers once DMARC enforcement is in play.
For consistent authentication, DKIM signing should ideally align with the domain you send from, especially for business-critical mail and domains with DMARC policies.
How to confirm DKIM is active (simple verification steps)
You can confirm DKIM operation by checking a sent email and reviewing its headers. This is the most direct and reliable verification method because it confirms what the recipient actually received.
Recommended verification steps:
- Send a test email from your domain to a mailbox you can access.
- Open the message and display the full headers (mail clients typically provide “view original” or “show headers”).
- Look for a header named DKIM-Signature. This indicates the message was signed.
- Look for Authentication-Results and review the DKIM result:
- You should see a DKIM result such as pass (or an equivalent success status).
- Confirm which domain was used to sign the message (the DKIM signature includes a “d=” field).
If DKIM is passing but you still see deliverability issues, the next step is usually not “more DKIM.” It is to confirm alignment expectations (especially if DMARC is configured) and ensure SPF and DMARC are coherent with how mail is actually being sent.