DKIM (DomainKeys Identified Mail)

DKIM, or DomainKeys Identified Mail, is an email authentication method that attaches a cryptographic signature to every message a domain sends. The receiving server uses a public key published in the sender DNS to verify two things: that the message genuinely came from the claimed domain, and that it was not tampered with in transit.

Why it matters for outbound

DKIM is the second of the three core authentication standards, working alongside SPF and DMARC. For cold outbound, a valid DKIM signature is a strong trust signal that helps messages reach the inbox rather than the spam folder. Unlike SPF, DKIM survives most forwarding, so it provides more durable proof of authenticity. A missing or broken DKIM record undermines sender reputation and drags down deliverability.

Outword confirms DKIM is signing correctly on every sending domain before a campaign launches.

How it works

• A private key signs each outgoing message, creating a header that travels with it.
• The matching public key is published as a DNS record under a named selector.
• The receiving server fetches the public key and validates the signature.
• A pass confirms the message is authentic and unaltered.

Because DKIM proves the content was not modified, it is what makes DMARC alignment possible. Our deliverability service manages key rotation and selector setup as part of the foundation.