What is DomainKeys Identified Mail (DKIM)?

  • Updated

DKIM (DomainKeys Identified Mail) attaches a tamper-evident digital signature to every email you send. Recipient servers check the signature against a public key in your DNS. If it matches, the message is genuinely from you and hasn't been altered in transit.

Who does this: Marketing owns the outcome. IT (or your DNS provider) publishes the CNAME record
Time needed: 2 minutes to read; publish takes an IT ticket plus up to 24 hours for DNS to propagate
Why this matters: DKIM is the other half of "this email is legitimate." While SPF checks the sending server, DKIM checks the message itself. Without it in place, recipient mailboxes are much more likely to drop your campaigns into spam.
In plain English: DKIM is a wax seal on the envelope. If it's missing, or the seal is broken, the recipient treats the letter as suspicious.

DKIM infographic

Where SPF uses a DNS TXT record to publish the list of servers allowed to send for you, DKIM adds a cryptographic signature to the header of each outgoing message. The recipient server reads the signature, looks up the public key in your DNS, and checks the match. DKIM is effectively a check of "I am who I say I am" for each individual message.

Like SPF, DKIM alone doesn't guarantee inbox placement. But without it, most mailbox providers assume Act-On isn't authorised to send for your domain, and messages get filtered to spam or rejected.

Where DKIM gets configured in Act-On

DKIM is part of Email From Setup. You publish a CNAME record in DNS that points to Act-On's signing infrastructure. For step-by-step instructions across the common DNS providers (Cloudflare, GoDaddy, Bluehost, HostGator, Network Solutions), see Editing Your DNS to Implement DKIM.

Was this article helpful?

Have more questions? Submit a request