← RFC Reference

RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures

Internet Standard Email Authentication
ELI5: DKIM puts a tamper-proof signature on your email and the matching public key in your DNS, so receivers can confirm the message really came from your domain and wasn't changed in transit.

Why This RFC Exists

DKIM gives email a verifiable, domain-level signature that survives forwarding, complementing SPF's path-based check.

How it works

The sender signs selected headers and the body; the public key lives at <selector>._domainkey.<domain> in DNS. The signature names the signing domain in its d= tag.

Why the sending domain matters

The DKIM key is a DNS record under your sending (sub)domain, and its d= domain is what DMARC aligns against — another reason to send from a domain you can publish records under.

Practical guide

For the hands-on setup, see Why you should use a subdomain for sending email.

Related RFCs

DKIM — DomainKeys Identified Mail
DKIM — DomainKeys Identified Mail
SPF — Sender Policy Framework
SPF — Sender Policy Framework
RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)
RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Email Authentication Explained
Email Authentication Explained