DKIM

How DKIM Works

DKIM works by adding a digital signature to the headers of your outgoing emails. When you send an email:

1. Signing: Your mail server creates a unique signature using a private key
2. Header Addition: This signature is added to the email's headers
3. DNS Lookup: The receiving server looks up your public key via DNS
4. Verification: The receiver verifies the signature matches the email content

Why DKIM Matters

Improved Deliverability

Emails with valid DKIM signatures are more likely to land in the inbox rather than spam folders.

Brand Protection

DKIM helps prevent email spoofing, protecting your domain from being used in phishing attacks.

Required for DMARC

DKIM is one of the two authentication methods (along with SPF) required for DMARC compliance.

Setting Up DKIM with Transactional

When you add a domain to Transactional, we automatically generate DKIM keys for you:

// DKIM is handled automatically when you verify your domain
const { data } = await client.domains.verify({
  domain: 'example.com',
});
 
// The response includes your DKIM DNS records
console.log(data.dkimRecords);

Common Issues

DKIM Signature Failed

This usually happens when:

• The DNS record hasn't propagated yet (wait 24-48 hours)
• The email content was modified in transit
• The public key in DNS doesn't match the signing key

Key Rotation

It's good practice to rotate DKIM keys periodically. Transactional handles this automatically.