What Is DKIM?

Domain Keys Identified Mail (DKIM), to quote dkim.org, is an email authentication protocol that "allows an organization to claim responsibility for transmitting a message in a way that can be validated by the recipient." 

This is done through a process called "DKIM signing." DKIM signing is done by inserting two cryptographic keys in a message, along with the domain that is doing so, known as the "signing domain." If the recipient can validate the keys when it receives the message, it can be sure that the message was not altered in transit after DKIM signing. If the message wasn't altered in transit, then the recipient can trust this message with any other known traffic from that domain.

DKIM and another email authentication protocol named Sender Policy Framework (SPF) are both used in evaluating DMARC. In order for a message to pass DMARC, it must pass either DKIM or SPF validation checks. The domain associated must also align with the domain for which the DMARC policy was published. This domain is specifically the domain in the visible "From:" header.

Valimail recommends setting up DKIM signing for outgoing mail and using your domain as the signing domain. Here's why...

"Belt and Suspenders" Engineering for DMARC

A DMARC pass requires either an SPF pass or a DKIM pass on a message, along with proper alignment of associated domains. Since Valimail customers publish SPF records, so long as they send from allowed space or their domain, they should be able to get an SPF pass and therefore a corresponding DMARC pass. 

However, SPF is prone to failure in some situations. To guard against SPF failures causing DMARC to fail, we recommend that our customers ensure their mail is DKIM signed with their domain. By ensuring both protocols are in play, you're further ensuring DMARC's effectiveness (i.e - your belt and suspenders for email authentication). 

Reputation: Domain-Based vs. IP-Based

Any sender that generates a significant volume of mail will establish a reputation with larger mailbox providers that regularly receive mail from that sender. This reputation will affect whether or not its mail is accepted and how it's treated by each provider.

Reputation is typically assigned to both the IP addresses sending mail and to the domains associated with various elements in the message. An IP's reputation will be based on the totality of the mail it sends, while a domain's reputation will be based on the mail for which it's responsible and/or in which it appears. 

There are occasions when an IP address is dedicated to a single stream of mail that always contains the same domain(s). We can expect an IP's reputation and a domain's reputation to diverge over time, so DKIM-signing messages that follow best sending practices can ensure reputations are guarded against unwanted mail being sent from that IP that could affect sender reputation. 

Reputation Portability

There are times when a domain owner will want to add more capacity for sending mail or move to another network. One of the biggest challenges in doing so is that the IP addresses that will now be carrying the domain's mail are likely to be "cold." This means they'll have no currently established reputation at mailbox providers. Warming up IP addresses can be a time-consuming process and one that limits the amount of mail that a domain can send. This has potential to negatively impact the domain owner when wanted mail can't be sent in a timely fashion.

DKIM signing mail on established streams is a hedge against this issue, should the domain ever need to expand or change networks. Assuming it follows good sending practices, DKIM signing can allow a domain to accrue a good reputation it can carry to a new IP space, possibly shortening the time it takes to warm up new IPs.


DKIM signing is an industry best practice, with huge benefits to Valimail customers. It offers protection against DMARC failures, helps establish a reputation for a domain, helps any migrations to a new IP space, and is best practice for email authentication. DKIM signing offers advantages to you that SPF alone doesn't. 

For more information, contact your email service provider.