DKIM

What it is

DomainKeys Identified Mail — RFC 6376. The sending server signs each message with a private key; the receiving server fetches the public key from DNS and verifies the signature.

Why it matters

DKIM survives forwarding (SPF doesn't), so it's the more reliable alignment path for DMARC. Most ESPs (Google Workspace, Microsoft 365, Mailchimp, SendGrid) handle the key management — site owners just have to publish the DNS record.

Who it applies to

Every domain that sends email.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

Related standards

See also

DMARC , SPF

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

• Authenticated Received Chain (ARC) 1 shared factor Email health Preserves DKIM/SPF authentication results when mail is forwarded through mailing lists or alias services. The fix for `forwarder breakage`.
• Bulk-sender requirements (Apple / Google / Yahoo) 1 shared factor Email health The de-facto standard for marketing mail since February 2024. SPF + DKIM + DMARC, RFC 8058 one-click unsubscribe, and a spam-complaint rate under 0.30%. Miss any of these and Gmail / Yahoo throttle or reject.
• DKIM key rotation 1 shared factor Email health DKIM keys aren't fire-and-forget. Rotate at least annually, retire old selectors, and use 2048-bit RSA. The mechanics are spelled out in RFC 6376 §3.1.

Other references

• rfc RFC 8301 — DKIM cryptographic algorithms (SHA-256)
• rfc RFC 8463 — Ed25519 signatures for DKIM