DKIM Records Explained: Protect Your Emails From Being Tampered With

When you send an email, it passes through several servers before it reaches the recipient. Most of the time, that journey is uneventful. But in the wrong circumstances, someone could intercept that email and alter its contents — changing a bank account number, a contract clause, or a download link — before it arrives. DKIM is one of the main defences against this, and without it, your emails have no proof of integrity.

What Is DKIM and How Does It Work?

DKIM stands for DomainKeys Identified Mail. It works by adding a digital signature to outgoing emails — a cryptographic fingerprint created using a private key held by your email server.

When the recipient’s email server gets your message, it looks up a corresponding public key published in your domain’s DNS records and uses it to verify the signature. If the signature matches, the email arrived intact and genuinely came from your domain. If it does not — either the email was tampered with in transit, or it was not sent by your mail server at all.

Think of it like a wax seal on a letter. Anyone could see the seal was intact on arrival; if it had been broken and resealed, you would know something was wrong.

What Happens to Your Domain Without DKIM?

Man-in-the-middle alteration. Without DKIM, an attacker with access to email infrastructure between you and your recipient could modify the email content — changing a bank account number, a delivery address, or a contract figure — and the recipient would have no way of knowing the email had been altered.

Easier spoofing. Email systems that check for DKIM will see no signature at all, which is a warning sign. Some systems treat unsigned email from a domain that should be signing as inherently less trustworthy. Over time, your domain can develop a poor sending reputation.

DMARC will not work properly. DMARC — the policy that enforces what happens when email authentication fails — relies on either SPF or DKIM passing, and crucially requires one of them to align with the visible From address. DKIM provides a second authentication path and is generally considered more reliable than SPF alone.

Why DKIM Survives Email Forwarding (and SPF Does Not)

Here is a subtlety that catches many businesses out: SPF often breaks when emails are forwarded.

When someone forwards your email, the message is re-sent from a different server — one that is not listed in your SPF record. This causes an SPF fail, which can trigger DMARC problems. But because DKIM is embedded in the email headers themselves, it survives forwarding intact.

For businesses whose contacts forward emails between colleagues — as most do — DKIM is essential for maintaining authentication throughout a message’s journey. It is the more resilient of the two authentication mechanisms.

Real-World Context

In 2022, security researchers demonstrated that many major email providers were susceptible to email header injection attacks that could be used to craft convincing spoofed emails, particularly targeting domains without DKIM in place.

The UK’s NCSC advises all businesses to implement DKIM as part of a baseline email security configuration, alongside SPF and DMARC. According to the Cyber Security Breaches Survey 2024, 84% of UK businesses that identified a cyber attack said it involved phishing. DKIM is one of several layers that make phishing harder to execute convincingly.

What to Do Next

Setting up DKIM involves two straightforward steps:

Generate a DKIM key pair. Your email provider (Microsoft 365, Google Workspace) will do this for you. Both platforms have simple settings in their admin consoles to enable DKIM signing.
Publish the public key in your DNS. Your provider will give you a DNS record — typically a TXT record on a subdomain like selector1._domainkey.yourcompany.co.uk — to add through your domain registrar or DNS host.

A few additional points to check:

Selector rotation. Some platforms including Microsoft 365 support multiple DKIM selectors, allowing you to rotate keys periodically. This is good practice.
Legacy systems. If older software or third-party services send email from your domain, ensure they are either included in your DKIM setup or migrated to authenticated sending.
Regular verification. DKIM records can become misconfigured or expire without anyone noticing. Checking your configuration periodically is worthwhile.

DKIM is a foundational email security control. Like SPF and DMARC, it is free to implement and available to any business that owns a domain. The three work best together.

Not sure whether DKIM is correctly set up for your domain? W3IT’s free security check will check your DKIM configuration instantly, alongside SPF, DMARC, and a range of other security controls. No account needed — just enter your domain.

More on Security

Concerned about your business security?

W3IT provides monitoring, support and practical security guidance for small businesses — wherever you are. Start with a free security check.

Book Free Security Check