← Back to Videos

DKIM Records in Plain English

Video
Essence of Email — YouTube·2023·~12 min

About this video

DKIM (DomainKeys Identified Mail) is one of the three core email authentication protocols — alongside SPF and DMARC. This video breaks down what DKIM actually does when you hit send, why mailbox providers check it, and how to think about selectors, keys, and alignment without getting lost in DNS syntax.

If you are troubleshooting deliverability or preparing for stricter sender requirements from Gmail, Yahoo, or Microsoft, DKIM is not optional. It is the cryptographic proof that your message was not altered in transit and that it was authorized by your domain.

What DKIM does when you send email

When your ESP sends on your behalf, it signs each message with a private key. The receiving server looks up your public key in DNS (via a DKIM selector record) and verifies the signature. A passing DKIM check tells the receiver the message content is intact and tied to your domain.

DKIM does not, by itself, tell receivers what to do with failing mail — that is where DMARC policy comes in. But without DKIM, you are missing a major trust signal and often fail alignment requirements outright.

Selectors, keys, and where to find your values

DKIM records live at selectors — subdomains like selector._domainkey.yourdomain.com. Different sending tools use different selectors. Your ESP documentation should list the selector and the TXT value to publish.

When you rotate platforms or add a new sending subdomain, you typically add a new selector rather than overwriting the old one until cutover is complete. Multiple valid selectors can coexist during migrations.

Alignment and deliverability impact

For DMARC to pass in relaxed mode, the organizational domain in the From address must align with the domain that signed DKIM (or passed SPF). Misaligned From domains — common with some ESP default settings — weaken authentication even when DKIM technically passes on the return-path or signing domain.

Authentication failures and alignment gaps show up in DMARC aggregate reports long before revenue drops. Fixing DKIM is foundational work that belongs at the bottom of the retention pyramid — before you optimize creative or cadence.

Common DKIM setup mistakes

  • Publishing the record on the wrong subdomain or forgetting the selector prefix.
  • Letting an old ESP selector expire while mail still routes through that infrastructure.
  • Signing with a domain that does not align with your visible From address.
  • Copy-paste errors in the TXT value — even one broken character fails verification.

Learn more: DKIM records guide (article), and Deliverability Recovery program.

Key takeaways

  • DKIM cryptographically signs outbound mail so receivers can verify content integrity and domain ownership.
  • Selectors are the DNS lookup path — each ESP or sending source may use its own selector.
  • DMARC alignment requires your From domain to match the signing domain (SPF or DKIM).
  • Fix DKIM before scaling send volume or chasing engagement optimizations.
  • Use DMARC aggregate reports to catch authentication drift after ESP or DNS changes.

Prefer YouTube? Watch on YouTube

Want to discuss your email program?

Schedule a free consultation with our team.

Book a Call