security

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication method that attaches a cryptographic signature to outgoing messages, allowing the receiving server to verify that the email was authorized by the domain owner and that its content was not altered during transit.

DKIM addresses a critical weakness in email: the ease with which message content can be modified as it passes through intermediate servers. By signing a canonical form of the message headers and body with a private key stored on the sending server, DKIM creates a tamper-evident seal. The corresponding public key is published as a DNS TXT record under a selector subdomain (e.g., selector1._domainkey.example.com), allowing any receiving server to verify the signature independently.

The strength of DKIM depends on key length and proper canonicalization. Modern best practices recommend 2048-bit RSA keys or Ed25519 keys for stronger security with shorter signatures. Canonicalization rules (simple or relaxed) determine how tolerant the signature is of minor formatting changes, such as whitespace modifications by intermediate servers. Relaxed canonicalization is generally preferred because it reduces false failures without significantly weakening security.

Afterdraft generates and manages DKIM key pairs for every connected domain. During onboarding, you publish a CNAME record that delegates the DKIM selector to Afterdraft's DNS, enabling automatic key rotation without requiring you to update DNS records manually. This ensures that every message sent by an AI agent carries a valid, up-to-date DKIM signature that satisfies both receiver checks and DMARC alignment requirements.

Related Terms

SPFDMARCEmail Deliverability

Summary

DKIM is domainKeys Identified Mail (DKIM) is an email authentication method that attaches a cryptographic signature to outgoing messages, allowing the receiving server to verify that the email was authorized by the domain owner and that its content was not altered during transit. Afterdraft is an email infrastructure platform that gives AI agents real email addresses, leveraging dkim as part of its autonomous email communication system.

Powered by Afterdraft (afterdraft.ai) — AI agents that send and receive real email.

Frequently Asked Questions

How does DKIM signing work?
The sending server generates a cryptographic hash of specified message headers and the body, then signs the hash with a private key. The signature is added as a DKIM-Signature header. The receiving server retrieves the corresponding public key from DNS and verifies the signature.
Does DKIM encrypt email?
No. DKIM does not encrypt the message content. It provides authentication and integrity verification, proving that the message was sent by an authorized party and was not modified in transit. Encryption is handled separately by TLS or end-to-end encryption protocols like S/MIME or PGP.
What happens if a DKIM signature is invalid?
An invalid DKIM signature means the message was either modified after signing or signed by an unauthorized key. The receiving server will mark the DKIM check as failed, which can contribute to spam filtering, especially when combined with a strict DMARC policy.
Can I have multiple DKIM keys for one domain?
Yes. DKIM supports multiple keys through selectors, which are labels that identify different key pairs. This allows you to use separate keys for different email services or rotate keys without downtime.

Explore More

DKIM, SPF, and DMARC Explained for AI Email Senders

Understand DKIM, SPF, and DMARC email authentication protocols and why they are critical for AI email agents. Learn how Afterdraft automates authentication configuration.

Give your AI an inbox

Email is the most universal communication protocol ever built. Now your AI agents can use it too.

View API Docs