Email Fast Get a sandbox key
Glossary

DKIM

DomainKeys Identified Mail: the cryptographic signature that makes an email's origin checkable math instead of a promise.

DKIM (DomainKeys Identified Mail, RFC 6376) lets a mail server attach a cryptographic signature to every outgoing email, covering the body and selected headers. Receivers fetch the signing domain's public key from DNS and verify that the message really came from that domain and was not altered in transit.

Why it matters

Without DKIM, anyone can put your domain in a From line. With it, a receiver checks a signature instead of taking the sender's word. DKIM also survives forwarding, which SPF does not, so it is usually the signal that keeps authenticated mail authenticated on its second hop. Since 2024, Gmail and Yahoo require DKIM from bulk senders, and DMARC, the policy layer on top, depends on it.

In practice

A signature is a header on the message:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=ef1;
  h=from:to:subject:date; bh=<body hash>; b=<signature>

The d= tag names the signing domain. The s= tag names a selector: the public key lives in DNS at ef1._domainkey.example.com, and because each key gets its own selector, a domain can run several keys at once and rotate them without downtime. One detail carries weight: for DMARC to count the signature, the d= domain must align with the domain in the visible From address.

How Email Fast handles it

Every message Email Fast sends is DKIM-signed; there is no unsigned path. Private signing keys are stored encrypted at rest, and rotation is one click: a new selector is generated and published, new mail signs with the new key, and the old one is retired once DNS caches expire.

Questions, answered plainly

Do I still need SPF if I have DKIM?

Yes. They prove different things: SPF authorizes the sending server, DKIM authenticates the content. DMARC needs at least one of them to pass with alignment, and mailbox providers expect both to be present.

What key length should a DKIM key be?

2048-bit RSA is the current standard. 1024-bit keys are considered weak and some providers penalize them. Rotate keys by publishing a new selector rather than replacing a key in place.

See it for yourself

Sandbox keys run the real pipeline dry — real validation, real events, a hosted inbox, no email sent. Early access is onboarding now.