DNS & email authentication

DKIM (DomainKeys Identified Mail)

What DKIM signing does, why it lets recipients verify your email wasn't tampered with, and how WebGuard reviews your published key.

Last updated June 9, 2026

What it is

DKIM attaches a cryptographic signature to the messages your domain sends, and publishes the matching public key in DNS. Receiving servers use that key to confirm the message genuinely came from your domain and was not altered in transit.

Why it matters

DKIM proves authenticity and integrity in a way that survives forwarding, which SPF alone does not. Together with SPF, it is what allows a DMARC policy to pass and protect your domain from being impersonated. A missing or broken DKIM key undermines the whole chain and hurts deliverability of your legitimate mail.

How WebGuard checks it

DKIM keys live at a provider-specific selector, and selectors cannot be listed from DNS, so WebGuard probes the selectors used by the common mail providers (Google Workspace, Microsoft 365, and major sending platforms) with read-only DNS lookups. If none are found it flags this as a low-severity item and notes that a custom selector may not be visible to an external check. It inspects DNS only, and no email is read, sent, or signed.

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.