Reference

DKIM explained: selectors, signing and alignment

How DKIM cryptographically signs your mail, how selectors and DNS public keys work, and what DKIM alignment means for DMARC.

3 min readLast updated 14 June 2026
Jump to section

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing email. The sending system signs the message with a private key; the matching public key is published in your DNS so any receiver can verify the signature. If the signature verifies and the message hasn't been tampered with in transit, DKIM passes.

Unlike SPF, which checks the connecting IP, DKIM checks the message itself — which means a valid DKIM signature survives forwarding, making it the more robust of the two authentication mechanisms.

Selectors and the DNS public key

DKIM uses a selector so a single domain can publish multiple keys (one per provider, or for key rotation). The selector is named in each signature and points to a DNS record:

selector._domainkey.yourdomain.com

For example, if your provider signs with selector s1, the public key lives at:

s1._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSq...AB"
  • v=DKIM1 — version tag.
  • k=rsa — the key type.
  • p= — the public key itself (often long enough to be split across multiple strings).

Each sending service that signs for you publishes its own selector record. Google, Microsoft 365, SendGrid, Mailgun and others each give you a selector (or two) to add to your DNS.

What's in the signature

Every DKIM-signed message carries a DKIM-Signature: header containing, among other things:

  • d= — the signing domain (the domain that vouches for the message).
  • s= — the selector telling the receiver which public key to fetch.
  • b= — the signature itself, over a defined set of headers and the body.

DKIM pass vs DKIM alignment

As with SPF, DMARC distinguishes between a pass and alignment:

  • DKIM pass means the signature verifies — the message wasn't altered and the key is valid.
  • DKIM alignment means the signing domain (d=) matches the From: domain your recipients see.

For DMARC, alignment is what counts. A common pitfall: a third-party tool signs mail with its own d= domain (e.g. d=mailprovider.com) rather than yours. The signature passes, but it is unaligned, so it does nothing for DMARC. The fix is to set the vendor up to sign with your domain — typically by adding their selector ._domainkey record to your DNS so d=yourdomain.com.

Alignment can be relaxed (adkim=r, the default — a parent/subdomain match is fine) or strict (adkim=s, exact match only).

How Blankitt DMARC helps

The Domain detail page includes DKIM selector management, so you can see which selectors are active for a domain and confirm their DNS records are live. Combined with the source-IP breakdown and vendor detection, this makes it straightforward to spot a legitimate sender that is passing DKIM but signing with the wrong domain — the exact thing you need to fix before tightening your DMARC policy.

SPF and DKIM together

DMARC passes if a message has either aligned SPF or aligned DKIM. Because DKIM survives forwarding where SPF does not, getting DKIM aligned for every legitimate sender is the single most reliable way to keep good mail flowing as you progress towards p=reject.

Still stuck? Email support or open the support widget in the bottom-right.