Description
This article explains the overview of DKIM (DomainKeys Identified Mail) and frequently asked questions for administrators using Email DLP.
Notes
- The content of this article is based on the product specifications as of June 2026 and is subject to change without notice.
What is DKIM and why should it be configured?
DKIM is a type of domain authentication used to detect email tampering.
By registering a DKIM record in DNS and enabling DKIM signing on the sender's mail server, a digital signature for DKIM authentication is added to the email headers when sending emails.
The recipient's mail server verifies this digital signature to confirm that the email has not been tampered with.
With DKIM authentication, the recipient's mail server queries the DNS that manages the sender address domain to check whether the DKIM signature is valid and whether there is any possibility of spoofing.
At this time, the DKIM signature and the DKIM record published in DNS are used to confirm that the email has not been tampered with.
By using DKIM in this way, you can prevent email spoofing and improve email security.
In recent years, major email service providers such as Google strongly recommend passing DKIM authentication from a security perspective.
If DKIM authentication does not pass, emails may be rejected by the recipient's mail server and may not be delivered correctly, or may be marked as spam.
Frequently Asked Questions about DKIM
What is a DKIM selector?
A DKIM selector indicates to the mail server performing authentication where the public key required for authentication is stored. It is used in conjunction with the DKIM record.
If DKIM settings are enabled in Google Workspace / Microsoft 365, is configuration also required in Email DLP?
Yes, it is required.
It is recommended to perform DKIM signing for all outgoing mail servers.
Generally, each outgoing mail server records the results of SPF, DKIM, and DMARC at the time the email is received in a section called the ARC (Authenticated Received Chain) header.
Depending on the receiving mail server, this ARC header history may be checked and used to determine whether to allow or reject the email.
Therefore, by configuring DKIM settings on each outgoing mail server and ensuring that the history of successful DKIM authentication is recorded in the ARC header, you can increase the likelihood that emails will be received successfully.
*For Email DLP, ARC is supported as described in the following article.
Release Information: [Email DLP] August 2023 (Support for ARC)
If DKIM signing is not configured in Email DLP, and an email with a DKIM signature from Google Workspace / Microsoft 365 that includes an attachment is automatically ZIP encrypted or converted to a URL using Secure Download in Email DLP, the receiving mail server may consider the email to have been tampered with during DKIM authentication.
Will configuring a DKIM record affect all outgoing emails?
Configuring DKIM will not suddenly stop or negatively impact existing email delivery.
The impact of DKIM settings is limited to receiving environments that have implemented DKIM verification. In general spam checks, various factors such as SPF, content, and reputation are comprehensively evaluated. Therefore, please note that DKIM settings alone do not determine the overall evaluation.
Is DKIM configuration mandatory?
DKIM authentication is not strictly enforced as an internet rule, but sender guidelines for email services such as Google and Yahoo! have announced requirements for both SPF and DKIM signatures, so it is considered mandatory in practice. Please make sure to configure it when implementing Email DLP.
Is it possible to configure DKIM records for both Microsoft 365 / Google Workspace and Email DLP?
Yes, it is possible.
By using different DKIM selectors, you can configure multiple public keys in TXT records.
If using multiple domains, is it necessary to register DKIM public keys for all domains?
If you want to enable DKIM records for multiple domains, including subdomains (e.g., sub.example.com), you need to add this TXT record in the DNS for each target domain.
It is also possible to reference the TXT record registered in the main domain using a CNAME record.
For more details, please refer to the following article.
[Email DLP] If using multiple domains, is it necessary to register DKIM public keys for all domains?