DKIM
Definition
DKIM (DomainKeys Identified Mail) is a cryptographic authentication protocol that attaches a digital signature to outgoing emails. When a recipient’s mail server receives an email, it uses the sender’s public key (published in DNS) to verify that the signature is valid. A valid DKIM signature proves:
- The email was sent from the claimed sending domain (or a system authorised by that domain)
- The email’s headers and body weren’t tampered with in transit
DKIM is one of three authentication protocols — alongside SPF and DMARC — required by Gmail and Yahoo for bulk senders as of February 2024.
Why it matters in 2026
Google and Yahoo’s February 2024 sender requirements mandate DKIM authentication for anyone sending more than 5,000 emails/day to Gmail addresses. Without DKIM:
- Emails sent to Gmail may be rejected or filtered to spam
- Your sender reputation degrades over time
- DMARC alignment — required separately — cannot pass without DKIM
In practice: every business using an email marketing platform to send marketing campaigns should have DKIM set up. It’s not optional in 2026.
Concrete example
You send a newsletter from newsletter@yourbusiness.com. Without DKIM, the recipient’s mail server sees an email claiming to be from your domain, but has no cryptographic proof it actually came from you. With DKIM:
- Your email platform (Brevo, Mailchimp, ActiveCampaign) signs the email with your private DKIM key
- Your DNS records contain the corresponding public key at a TXT record like:
selector._domainkey.yourbusiness.com - Gmail’s servers query your DNS, retrieve the public key, and verify the signature
- The email is authenticated as genuinely from your domain
The whole process takes milliseconds and happens transparently.
How to set up DKIM (platform-specific)
Every major email marketing platform provides DKIM setup guides:
Brevo: Settings → Senders & IP → Authenticate this email domain → copy 2 TXT records to your DNS provider. Takes 5–15 minutes.
Mailchimp: Audience → Manage Audience → Settings → Verified domains → Add and verify domain → Add DKIM record.
ActiveCampaign: Settings → Emails → Deliverability → Add domain → Add DKIM TXT records.
DNS propagation after adding the records takes 15 minutes to 48 hours depending on your provider.
DKIM + SPF + DMARC: the authentication triad
DKIM alone isn’t sufficient for strong deliverability. The three protocols work together:
| Protocol | What it verifies | Visible to recipient |
|---|---|---|
| SPF | Which IP addresses are authorised to send for your domain | No |
| DKIM | Cryptographic signature proving domain ownership | No |
| DMARC | Alignment policy: what to do when SPF/DKIM fail, and where to send reports | No |
For Gmail’s 2024 requirements, you need all three. DMARC requires at least one of SPF or DKIM to pass, plus DMARC alignment (the From: header domain must match the authenticated domain).
Related concepts
- SPF (Sender Policy Framework) — authorises sending IP addresses
- DMARC — the policy layer on top of SPF and DKIM
- Sender reputation — what DKIM protects
- Warm-up — the process after setting up DKIM on a new domain
→ Read: Email deliverability in the Gmail/Yahoo era — what changed in 2024