Skip to content DomainKeys Identified mail explained
DKIM (DomainKeys Identified Mail) keeps your emails tamper-proof and credible. DKIM slaps a digital signature on your emails that says, ‘this email is legit from our domain and hasn’t been messed with.’
It’s like a digital version of a wax seal for your email.
When you set up DKIM, your email server adds an encrypted signature header to every email you send. That signature is generated using a private key that only your email provider has.
On the receiving end, mailbox providers retrieve your public key (published in your domain’s DNS records) and use it to verify that the signature is valid.
If it checks out, it means two things:
If the signature doesn’t match or there’s no DKIM at all, the email provider is left guessing, and often, guessed wrong means the spam folder.
DKIM gives your emails a stamp of authenticity, a cryptographic handshake.
DKIM directly impacts deliverability. Many ISPs favor DKIM-signed emails in their filtering algorithms because it’s a quality signal. Emails with a valid DKIM are far more likely to hit the inbox because the mailbox provider trusts the source and content integrity. Unsigned emails (or ones with broken signatures) raise suspicion and may be sent to spam even if the content is fine.
Without DKIM, anyone could potentially impersonate your domain by modifying emails in transit. With DKIM, any such tampering would break the signature and reveal the fraud. You’re not just protecting your emails; you’re protecting your brand’s reputation. And ISPs love senders who care about that stuff.
Setting up DKIM sounds intimidating, but most email service providers make it relatively straightforward. Generally, you will:
Your email platform or server will generate a public/private key pair. The private key stays with whatever sends your email (e.g., your SMTP service or marketing platform). The public key should be added to your DNS records as a TXT record.
This typically looks like a string of characters on a subdomain (called a selector, e.g., selector._domainkey.yourdomain.com). That record contains the public key.
In your email software, turn on DKIM signing using the generated keys. Now every outbound email gets that signature header added.
Many providers now recommend 2048 bits for better security (instead of older 1024-bit keys). It’s more secure and some receivers will flag weaker keys as a risk.
Combine DKIM with SPF and you’ve got two green checkmarks for every message (which DMARC can then double-confirm). That’s the foundation for inbox email deliverability.
Pitchkraft lets you verify your SPF, DKIM and DMARC within the software. We strongly advise you to take advantage of that. We also ask that you verify your domain so that others can’t send emails using Pitchkraft on your behalf.
Unless you verify your domain, which is a 10-minute job, we won’t be able to let you send emails via Pitchkaft. We value your email reputation and won’t do anything which could harm it. If you have any problems or need any help or advice, just contact our support team anytime.
Get in touch
24/7/365 support comes as standard. We know…this is not normal!
support@pitchkraft.ai
Available on Standard & Premium plans
