DKIM verifies that an email’s content hasn’t been tampered with before it reaches the recipient. It does so by generating a code, called a hash, that represents various elements in an email, like its content and FROM field. That hash is then encrypted using a private key, and is added to the email’s header at send time by the outbound mail server.
When an inbound mail server receives the email, it checks the email’s header to see if DKIM is present. If so, it generates its own hash of the matching email elements (content, FROM field, etc). The server then looks up the domain supplied in the DKIM signature, and queries that domain’s DNS for the public key needed to decrypt the hash. If the decrypted hash from the email header matches the server’s hash of the appropriate fields in the received email, then the email passes DKIM.
MXace hashes fields in the header and body of emails, which not only helps to confirm that an email is from who it says it’s from, but that the content has not been altered since it was sent.
Learn how to set up DKIM for your own domain
How email clients treat emails without DKIM
If you haven’t authenticated your sending domain with DKIM, some email clients will flag your emails as coming from a different server. This can potentially cause them to be blocked, or lead subscribers to believe they’re receiving spam.
For example, in Outlook 2016, your email will display in the recipient’s inbox as being “sent by” someone else. In the image below, while the FROM address shows correctly as
[email protected], the email is flagged as coming from a mail server (
In this case, the email has also been sent to the junk folder, although the lack of DKIM authentication isn’t necessarily the cause. There are many reasons other than authentication as to why an email could end up in the spam or junk folder, and conversely, unauthenticated email can still make it to the inbox.
After DKIM authentication is added to the sending domain, only the FROM address is shown in Outlook 2016, as shown in the image below.
Gmail operates in a similar way, except it uses the word “via” to indicate an email isn’t DKIM authenticated, as shown in the image below.
With DKIM authentication added, “via” and the sending server are no longer shown in Gmail, as shown in the image below.