.svg)
Overview
SPF tells receiving servers which IPs are authorized to send email from your domain. DKIM tells them that the email content has not been tampered with in transit and that the message was genuinely authorized by the domain owner. DomainKeys Identified Mail is the cryptographic signature layer of email authentication, and for GTM Engineers running outbound at scale, it is the authentication mechanism that carries the most weight with modern inbox providers.
Where SPF checks the sending server, DKIM checks the message itself. It uses public-key cryptography: your sending server signs each outgoing email with a private key, and the receiving server verifies that signature using a public key published in your DNS. If the signature is valid, the receiving server knows two things: the message came from someone with access to your domain's private key, and the message was not altered after signing. This guide covers how DKIM works under the hood, how to configure it for multi-tool cold email stacks, key rotation best practices, and the alignment issues that trip up most teams.
How DKIM Works Under the Hood
DKIM adds a digital signature to the headers of every outgoing email. Here is the sequence of events when an email is sent from a DKIM-enabled domain:
DKIM-Signature header.DKIM-Signature header, extracts the selector and domain (s=selector; d=yourdomain.com), and queries DNS for the public key at selector._domainkey.yourdomain.com.The DKIM-Signature Header
A typical DKIM-Signature header looks like this:
DKIM-Signature: v=1; a=rsa-sha256; d=acme.com; s=google; c=relaxed/relaxed; q=dns/txt; h=from:to:subject:date:mime-version; bh=abc123...; b=xyz789...
The key fields GTM Engineers need to understand:
d=— The signing domain. This is the domain that claims responsibility for the message and is critical for DMARC alignment.s=— The selector. It identifies which key pair to use, allowing multiple DKIM configurations on the same domain (for example, one for Google Workspace and one for your cold email platform).a=— The algorithm.rsa-sha256is the standard. Avoidrsa-sha1, which is deprecated.c=— Canonicalization.relaxed/relaxedis the most forgiving and recommended setting. It allows minor formatting changes during transit without breaking the signature.h=— The list of headers included in the signature. At minimum, the From header must be signed.
Configuring DKIM for Your Outbound Stack
Every service that sends email on behalf of your domain needs its own DKIM configuration. Unlike SPF, which consolidates all sending sources into a single DNS record, DKIM uses separate selectors for each service. This is actually an advantage: adding a new DKIM selector does not affect existing configurations, and there is no lookup limit to worry about.
Google Workspace DKIM Setup
Google Workspace is the most common email provider for outbound sending domains. Setting up DKIM involves generating a key in the Google Admin Console, publishing the public key as a DNS record, and then enabling signing.
google._domainkey.yourdomain.com) and the public key value. Add this as a TXT record in your DNS provider.Cold Email Platform DKIM
Platforms like Instantly, Smartlead, and Lemlist each have their own DKIM setup process. The pattern is the same: the platform generates a key pair, gives you the public key as a DNS record to add, and signs outgoing email with the private key. Each platform uses its own selector, so you will have multiple _domainkey records on your domain, one per sending service.
| Sending Service | Typical DKIM Selector | Key Size | Notes |
|---|---|---|---|
| Google Workspace | 2048-bit | Generated in Admin Console | |
| Microsoft 365 | selector1, selector2 | 2048-bit | Two selectors for rotation |
| SendGrid | s1, s2 | 2048-bit | CNAME records, not TXT |
| Instantly | Varies | 1024/2048-bit | Platform-specific instructions |
| HubSpot | hubspot-specific | 2048-bit | CNAME-based configuration |
Some services (SendGrid, HubSpot) use CNAME records that point to their own DNS for the DKIM public key instead of having you paste the key value directly as a TXT record. The CNAME approach lets the vendor manage key rotation on their side without requiring you to update DNS. This is generally easier to maintain but gives you less control over the key. For GTM Engineers who want full control, TXT-based DKIM is preferable.
DKIM Key Rotation: Why and How
DKIM private keys should be rotated periodically. If a private key is compromised, an attacker can sign email as your domain until you revoke the key. Key rotation limits the window of exposure. Additionally, rotating keys demonstrates to security-conscious receiving infrastructure that you follow cryptographic best practices.
Rotation Frequency
The industry consensus is to rotate DKIM keys every 6-12 months. Some security-focused organizations rotate quarterly. For most GTM teams, annual rotation is a reasonable balance between security and operational overhead. The critical point is that you rotate at all, since many teams set up DKIM once and never touch it again.
Zero-Downtime Key Rotation
The selector mechanism makes key rotation seamless. Here is the process:
s1, create a new key pair with selector s2.s2._domainkey.yourdomain.com with the new public key. Keep the old s1 record in place.s2 private key instead of s1.s1 DNS record.The overlap period where both keys are active is critical. Without it, emails signed with the old key that have not yet been delivered will fail DKIM verification when the old public key is removed.
Use 2048-bit keys. 1024-bit keys are still technically functional but are considered cryptographically weak and some receiving servers are starting to flag them. 4096-bit keys exist but can cause issues with DNS TXT record size limits. 2048-bit is the sweet spot that balances security with compatibility. If your DNS provider does not support TXT records over 255 characters, you will need to split the key across multiple strings within the same record, which most DNS providers handle automatically.
DKIM Alignment and DMARC
DKIM alignment is where most multi-tool outbound setups break down. DMARC requires that either SPF or DKIM passes and aligns with the From domain. For DKIM, alignment means the d= value in the DKIM signature matches the domain in the From header.
Where Alignment Breaks
The most common alignment failure in outbound email: your cold email platform signs the email with its own domain in the d= field instead of your sending domain. The email might have From: rep@try-acme.com in the header, but the DKIM signature says d=coldemailtool.com. DKIM passes (the signature is valid), but alignment fails (the signing domain does not match the From domain). If SPF also fails alignment, DMARC fails entirely.
This is why configuring custom DKIM signing on your cold email platform is essential, not optional. You need the platform to sign with d=try-acme.com, not d=platformdomain.com. Most reputable cold email platforms support this, but it requires explicit setup. Without custom DKIM, your platform's default signing is useless for DMARC purposes.
Testing DKIM Alignment
Send a test email to a Gmail account and open the raw message headers (Show Original in Gmail). Look for two things:
- DKIM pass — The header should show
dkim=passwith your domain. - Alignment — The
d=domain in the DKIM-Signature header should match the domain in the From header.
If DKIM passes but the d= domain does not match your From domain, you have an alignment problem. The fix is to configure custom DKIM signing in your sending platform so it signs with your domain, or to switch to a platform that supports custom domain signing.
| Scenario | From Domain | DKIM d= Domain | DKIM Result | Alignment |
|---|---|---|---|---|
| Custom DKIM configured | try-acme.com | try-acme.com | Pass | Aligned |
| Default platform signing | try-acme.com | platform.com | Pass | Not aligned |
| Subdomain signing (relaxed) | acme.com | mail.acme.com | Pass | Aligned (relaxed mode) |
| Subdomain signing (strict) | acme.com | mail.acme.com | Pass | Not aligned |
Troubleshooting DKIM Failures
DKIM failures are harder to diagnose than SPF failures because the signature involves cryptographic verification. Here are the most common causes and their fixes.
DNS Record Not Found
The receiving server cannot find the public key at the expected DNS location. Check that the selector and domain in your DKIM-Signature header match the DNS record you published. Typos in the selector name or publishing the record on the wrong domain or subdomain are common culprits. Use dig TXT selector._domainkey.yourdomain.com to verify the record exists and resolves correctly.
Signature Body Hash Mismatch
The body hash in the DKIM signature does not match the body hash the receiving server computes. This typically happens when an intermediary (mailing list, forwarding service, or security gateway) modifies the email body after signing. The c=relaxed/relaxed canonicalization setting helps tolerate minor formatting changes, but substantive content modifications will always break the signature.
Key Too Short
Some receiving servers reject 512-bit DKIM keys outright and are increasingly suspicious of 1024-bit keys. If you are seeing intermittent DKIM failures that correlate with specific receiving domains, check your key length. Upgrading to 2048-bit resolves this.
Expired or Revoked Key
If you rotated keys but still have queued email signed with the old key, those emails will fail DKIM after the old public key is removed from DNS. This reinforces the need for an overlap period during key rotation.
FAQ
Yes. SPF and DKIM serve different purposes and both are required for DMARC to work effectively. SPF verifies the sending server, DKIM verifies the message integrity and domain ownership. DMARC needs at least one to pass and align, but having both pass significantly improves your deliverability because it gives inbox providers two independent trust signals.
Technically yes, but it is strongly discouraged. Sharing a private key across platforms increases the risk of key compromise and makes it impossible to rotate keys for one service without affecting others. Use separate selectors and key pairs for each sending service. The selector mechanism exists precisely for this purpose.
Check the platform's domain verification or authentication settings. If it provides you with a DKIM DNS record to add to your domain with your domain in the d= value, it supports custom DKIM. If it only signs with its own domain, you have an alignment problem. Most established platforms (Instantly, Smartlead, Lemlist, Apollo) support custom DKIM. Verify before committing to a platform.
Yes. Inbox providers evaluate DKIM independently as a trust signal, regardless of whether you have DMARC configured. A valid DKIM signature tells the receiving server that the message is authentic and unmodified. However, without DMARC, the receiving server has no policy instruction for what to do when DKIM fails. Configuring all three (SPF, DKIM, DMARC) gives you the full benefit of email authentication.
What Changes at Scale
DKIM configuration for one domain and one sending platform is a one-time task that takes an hour. At scale, with 10-15 sending domains, each configured with 2-3 sending services, you are managing 30-45 DKIM key pairs. Key rotation schedules need tracking across all of them. Alignment verification needs to happen every time you onboard a new tool or change a sending configuration. And when a DKIM failure occurs, you need to quickly identify which domain, selector, and platform combination is broken.
The operational reality is that most teams stop monitoring DKIM after initial setup. They do not notice failures until deliverability has already degraded, and then they spend days diagnosing which of their many DKIM configurations broke. What they need is continuous authentication monitoring across every domain and sending service in the stack, with alerts that surface before reputation damage accumulates.
Octave helps teams manage DKIM complexity at scale by coordinating outbound sending across authenticated domains through its Sequence Agent. Playbooks automatically route sequences through properly configured sending infrastructure, and the platform's Runtime Context tracks which domains and mailboxes are healthy for sending. For teams managing dozens of DKIM configurations across multiple sending platforms, Octave ensures that outbound playbooks only execute through domains with valid authentication, reducing the risk of deliverability degradation from misconfigured keys.
Conclusion
DKIM is the cryptographic backbone of email authentication. It provides the message-level integrity verification that SPF cannot: proof that the email was authorized by the domain owner and was not tampered with in transit. For GTM Engineers building reliable outbound infrastructure, DKIM configuration is non-negotiable on every sending domain and through every sending platform in the stack.
The key implementation details: use 2048-bit keys, configure custom DKIM signing on every sending platform so the d= domain aligns with your From header, and rotate keys at least annually. Test alignment by inspecting email headers on test sends. And build DKIM monitoring into your ongoing maintenance workflows so you catch failures before they compound into deliverability crises. DKIM is invisible when it works correctly, which is exactly why it is so dangerous when it breaks without anyone noticing.