DKIM (DomainKeys Identified Mail) is an email authentication method that lets a sender attach a cryptographic signature to every outgoing message. The receiving server verifies that signature against a public key in your DNS, confirming the message was really sent from your domain and not modified in transit.
How DKIM works
You publish a public key as a TXT record at selector._domainkey.yourdomain.com. Mailpro signs every outgoing email with the matching private key. The receiver fetches your public key, verifies the signature, and confirms three things: the sender is authorized, the headers were not altered, and the body was not tampered with.
DKIM, SPF and DMARC at a glance
| Standard | Verifies | Where it lives |
|---|---|---|
| DKIM | Cryptographic signature on each message | DNS TXT (selector._domainkey) |
| SPF | Which IPs may send for the domain | DNS TXT on root domain |
| DMARC | Policy when SPF/DKIM fail | DNS TXT (_dmarc subdomain) |
Anatomy of a DKIM record
A typical DKIM TXT record looks like:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...
Mailpro generates the key pair, hosts the private key securely, and gives you the exact TXT record to paste in your DNS. See the step-by-step guide: configure DKIM with Mailpro.
What DKIM does NOT do
DKIM proves authenticity but does not encrypt the message body, does not stop spam by itself, and does not validate the visible "From" address — that is DMARC’s job. Always combine DKIM with SPF and DMARC.
Sign every email in minutes
Mailpro generates and rotates DKIM keys for you and provides a 1-click validator. Set it up from the DKIM configuration page and read the full DKIM FAQ.