DKIM Explained 2025: Keys, Selectors, Rotation & How to Prevent Forgery

What is DKIM?

DKIM is a security system that signs your outgoing emails with a digital signature.This signature proves:

• The email really came from your domain.

• No one changed the message on the way.

Think of it like a digital stamp that confirms authenticity.

How DKIM Works (Super Simple)

1. Your server creates two keys:

   • Private key: secret, used to sign emails

   • Public key: published in DNS so receivers can verify the signature

2. When you send an email, your server adds a header like:DKIM-Signature: ...

3. The receiving server checks your DNS public key.If the signature matches → DKIM = PASS

If not → Fail → More likely to go to spam.

What is a DKIM Selector?

A selector is just a name that points to the key in DNS.Example selectors:

• s2025

• m1

• key1

It allows you to have multiple DKIM keys at the same time.

DNS looks like: s2025._domainkey.yourdomain.com

Which Keys to Use in 2025?

• Best: Ed25519 (fast + secure)

• Good: RSA 2048

• Avoid: RSA 1024 (too weak)

DKIM Key Rotation (Simplified)

Rotation means changing your DKIM keys to stay secure.

How to rotate:

1. Create a new selector + new key.

2. Add the new public key to DNS.

3. Update your mail server to use the new key.

4. Wait 7–14 days.

5. Remove the old key from DNS.

Why rotate?If someone steals your old key, they can forge your emails.

How DKIM Prevents Forgery

DKIM stops attackers from:

• Sending emails pretending to be you.

• Modifying emails in transit.

Combined with SPF + DMARC, your domain becomes very hard to spoof.

Common DKIM Problems

• Wrong DNS format → signature fails

• Using small keys → insecure

• Selector not matching your server's config

• Third-party services using old keys

Quick Checklist

✔ Use Ed25519 or RSA 2048

✔ Set a clear selector (ex: s2025)

✔ Rotate keys every 6–12 months

✔ Pair with DMARC reject

✔ Test using Gmail → “Show Original”