How to Use DKIM to Prevent Domain Spoofing

March 23, 2020
Written by
SendGrid Team
Opinions expressed by Twilio contributors are their own

How to Use DKIM to Prevent Domain Spoofing

In the 1980s, when email and SMTP (simple mail transfer protocol) were developed, there was no need for verification and validation of messages. For the most part, the only organizations using email at the time were large companies and educational institutions.

Unfortunately, as email grew, bad actors found that they could exploit recipients by sending malicious messages, spoofing domains, and sending spam. For instance, someone could act as though they are sending on behalf of a trusted brand or sender and try to get recipients to respond and provide personal, sensitive information. Other senders used email as a way to send unwanted messages to any address they could get their hands on, a practice that culminated in the CAN-SPAM Act.

Tip: Email spoofing happens when a bad actor creates and sends emails to recipients from a forged email address. Read more about why you should never send email from domains that you aren;t in control in our blog post Don’t Send Email From Domains You Don’t Control

Email authentication practices like SPF, DKIM, and DMARC were developed in order to stop these types of malicious emails from reaching recipient inboxes.

What is DKIM?

DKIM (DomainKeys Identified Mail) is a cryptographic technology created by Cisco and Yahoo that senders can use to “sign” their messages with. DKIM allows the receiver of an email message to check if that message was authorized and sent by the sender responsible for the domain. When messages are not signed with DKIM, inbox providers like Gmail and Microsoft can block messages and prevent them from being delivered to recipients.

How does DKIM work?

DKIM is a relatively simple form of email authentication because its only function is to verify that the sender of an email is responsible for the domain the email is sent from, and they are responsible for the content of the email. The two steps for DKIM are:
  1. A sender adds a private key on their mail servers and signs the message.
  2. The receiving server checks the public key stored in the txt record of to validate the private key added by the sender.

How does DKIM prevent domain spoofing?

As a brand, if you implement DKIM, you’re essentially signing your email and telling inbox providers that the mail coming they’re getting is from your domain and you’re taking responsibility for it. This means that bad actors cannot send mail from addresses like

Why is DKIM important?

DKIM is important because it is one of the ways inbox providers can verify the identity of the sender. Without implementing DKIM correctly, many inbox providers will block your email, preventing your messages from getting to their intended destination. While this may not seem incredibly important, if just a small number of your messages are blocked, it can have large consequences for your business.

How do I implement DKIM in SendGrid?

Once you create a SendGrid account, you’ll be given the option of either implementing manual or automated security. By choosing to implement automated security, SendGridwill manage your SPF and DKIM records for you. By doing this, if you ever make a change to your account that impacts email deliverability (like adding a new IP address), SendGrid will update your DKIM and DNS settings on your behalf.

How can I test DKIM?

There are a variety of DKIM testing tools available for use online. Using something like a DKIM analyzer or DKIM checker will help you determine if you’ve accurately published your DKIM record. In general, it is strongly recommended that any changes you make to your SPF or DKIM records are tested before you implement.

Tip: DKIM can be used on both dedicated IP addresses and shared IP address pools as a way to help improve your email deliverability no matter what kind of SendGrid account you have.


While DKIM does provide senders with a way to sign their messages so that inbox providers know they are responsible for the message content and domain it’s being sent from, there are a few things DKIM doesn’t do:
  • DKIM doesn’t tell inbox providers how to handle the message. Unlike an email authentication technology like DMARC, DKIM doesn’t say what to do if a message fails or passes verification.
  • DKIM doesn’t account for the sender of messages. Even if a message passes DKIM verification, the sender responsible for the message could still be a bad actor sending malicious email.
  • DKIM doesn’t stop messages from being re-sent. If a malicious email is opened and forwarded by a recipient, the message can still be opened and harmful to subsequent recipients.

How is SPF different from DKIM and are both needed?

SPF allows senders to tell ISPs which IPs are able to send on their behalf. DKIM allows ISPs to verify that the content sent is what the original sender intended. For more information about how to get your email delivered correctly, check out our 2019 Email Deliverability Guide.

Neither SPF or DKIM fully secure an email. Each is missing an important piece. SPF is missing message verification and DKIM is missing a way to verify where the message is coming from. Both are needed to be a secure email sender.

What are the top DKIM tips?

  • DKIM needs to be the last thing added to the message before it’s sent. If a signature, blank space, another header – anything – is added after, it will fail.
  • The header, or both the header and the body can be signed. Gmail recommends that you sign both.
  • The Yahoo feedback loop is based on a senders DKIM signature, they use parts of the signature to match a sender with a complaint. If you’re not using DKIM, (or Domain Keys) you can’t use the Yahoo feedback loop.
  • Most SendGrid customers will have our standard DKIM inserted into the header automatically.

Are there any resources out there that I can use to learn more about DKIM?

Of course, check out: and To learn more about implementing DKIM, SPF, or DMARC with your SendGrid account and messages, you can check out SendGrid’s Documentation.

Help inbox providers by authenticating your email

To ensure that customers continue to respond to your messages, you must help ISPs safeguard your brand. By signing all of your domains with DKIM using the d=, you are telling the ISPs to block any domain that is not on the “hit list.” So, be sure to sign all the domains from which you send your promotional and transactional email. (This includes your subdomains, so make sure you take a complete inventory.)

Remember, DKIM answers two key questions—does the email have a valid signature and which domain signed it. It won’t ensure email deliverability, but it will certainly help improve it. Additionally, it will help prevent all of the ancillary fallout that happens when brands are hacked. Taking the time to put preventative measures in place can help protect your reputation and your brand.

To learn more about email authentication and strategies for ensuring email deliverability, download our free SendGrid Email Infrastructure Guide.

Recommended For You

Most Popular

Send With Confidence

Partner with the email service trusted by developers and marketers for time-savings, scalability, and delivery expertise.