DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) is an email authentication standard that allows the sending mail server to attach a cryptographic digital signature to outgoing messages. The receiving server retrieves the corresponding public key from the sender's DNS records and uses it to verify the signature. If the signature is valid, the recipient knows the email genuinely came from the claimed domain and was not altered in transit. DKIM works alongside [SPF](/glossary/spf) (Sender Policy Framework) and [DMARC](/glossary/dmarc) (Domain-based Message Authentication, Reporting & Conformance) to form a complete email authentication framework that protects both senders and recipients.

Email remains a primary channel for sharing digital publications, sending lead-capture notifications, and delivering transactional messages. Without DKIM, emails are more likely to be flagged as spam or rejected entirely by recipient mail servers. Major providers like Gmail, Outlook, and Yahoo now require DKIM for bulk senders, and messages without valid signatures face increasingly aggressive filtering. Proper DKIM setup improves deliverability, protects your brand from spoofing (where attackers send emails pretending to be your domain), and builds trust with email providers. For publishers who rely on email to distribute flipbooks and collect leads, DKIM directly affects whether your audience actually sees your messages.

FlipLink sends emails on your behalf for lead-capture notifications, shared publication links, and [email templates](/features/email-templates). These emails are sent through infrastructure that has DKIM configured, meaning every outgoing message carries a valid cryptographic signature. If you use a [custom domain](/features/custom-domains) for your publications and want to send sharing emails from that domain, you configure DKIM DNS records to authorize FlipLink's mail servers to send on your behalf. This ensures recipients see your domain as the verified sender, maximizing inbox placement and maintaining your brand's credibility.

Setting up DKIM involves both DNS configuration and mail server coordination. Here is what the process typically looks like: 1. **Generate a key pair.** Your mail service or platform (like FlipLink) generates a private key (kept on the sending server) and a public key (published in DNS). 2. **Add the DNS TXT record.** Create a TXT record at `selector._domainkey.yourdomain.com` containing the public key. The selector is a label (like `fl1` or `mail`) that identifies which key to use. 3. **Verify the record propagates.** DNS changes can take up to 48 hours, though most propagate within an hour. Use a DKIM lookup tool to confirm the record is visible. 4. **Send a test email.** Send an email from the configured domain and check the headers for `dkim=pass` in the Authentication-Results header. 5. **Monitor ongoing.** Set up [DMARC](/glossary/dmarc) reporting to receive alerts if DKIM validation starts failing, which could indicate DNS misconfiguration or unauthorized senders.

DKIM protects against two specific threats: **email spoofing** (someone sending emails that appear to come from your domain) and **message tampering** (someone modifying the email content after it leaves your server). However, DKIM alone is not a complete security solution. **What DKIM does protect:** - Verifies the email was sent by an authorized server for that domain - Confirms the signed headers and body were not altered in transit - Provides a foundation for DMARC policy enforcement **What DKIM does not protect:** - It does not encrypt the email content (use TLS for that) - It does not verify the identity of the individual sender, only the domain - It does not prevent your domain from receiving spam — it only helps your outgoing mail be trusted **Key rotation** is an important but often overlooked practice. If your DKIM private key is compromised, an attacker can sign emails as your domain. Rotate your DKIM keys periodically (every 6–12 months) and update the DNS record with the new public key before retiring the old one.

A DKIM signature is added as a `DKIM-Signature` header to each outgoing email. This header contains several fields: - **v** — Version (always `1`) - **a** — Signing algorithm (typically `rsa-sha256`) - **d** — The signing domain - **s** — The selector used to look up the public key in DNS - **h** — List of headers included in the signature (e.g., `from:to:subject:date`) - **bh** — Hash of the email body - **b** — The actual cryptographic signature The receiving server extracts the `d` and `s` values, queries DNS for `s._domainkey.d`, retrieves the public key, and verifies the signature against the signed headers and body hash. If everything matches, the DKIM check passes. DKIM supports key lengths of 1024 bits and 2048 bits. While 1024-bit keys are still common, 2048-bit keys are recommended for stronger security. Some DNS providers have a 255-character TXT record limit, which requires splitting longer 2048-bit keys across multiple strings in a single TXT record.