Skip to main content
EU Web Security: 10 Steps to a Better Rating · Part 6

DKIM: Why Only 31% of EU Domains Sign Their Emails

DKIM ensures your emails are not altered in transit. Without DKIM, DMARC cannot work properly either.

· SiteGuardian

Part 6 of the series "EU Web Security: 10 Steps to a Better Rating"

The Problem

SPF checks whether the mail server is authorised. But SPF does not check whether the content of the email was altered in transit. A compromised relay server can change the text, swap links, manipulate attachments — and SPF still says "pass".

DKIM solves this: your mail server signs every outgoing email with a private key. The recipient verifies the signature using the public key published in your DNS. If the email was altered, the signature does not match — the recipient knows: tampering.

DKIM adoption in the EU: 31.1%. Two out of three domains do not sign their emails.

Why DKIM Is Critical for DMARC

DMARC checks: Does SPF OR DKIM pass — and is the domain aligned? In practice, SPF frequently fails for forwarded emails (forwarding breaks SPF). DKIM survives forwarding because the signature is attached to the mail header, not the sending server.

Without DKIM, your DMARC policy fails on every forwarded email. Mailing lists, Outlook forwarding rules, auto-forwarding — all generate SPF failures. Only DKIM saves deliverability.

How to Set Up DKIM

Google Workspace

  1. Admin Console > Apps > Google Workspace > Gmail > Authenticate email
  2. "Generate new DKIM key" > Key length 2048 bit
  3. Add the displayed TXT record to your DNS (under google._domainkey.your-domain.com)
  4. Back in the Admin Console: "Start authentication"

Microsoft 365

  1. Microsoft 365 Defender > Policies > Email authentication > DKIM
  2. Select domain > "Create DKIM key"
  3. Add two CNAME records to your DNS (Microsoft displays them)
  4. Enable DKIM

Brevo / Mailchimp / Newsletter Tools

Most newsletter tools require DKIM setup during domain verification:

  1. In the tool: Add domain > DKIM record is displayed
  2. Add the TXT record to your DNS
  3. In the tool: Verify domain

Manual Setup (Postfix / Self-Hosted Mail Server)

# Install OpenDKIM
apt install opendkim opendkim-tools

# Generate key pair
opendkim-genkey -t -s mail -d your-domain.com

# Add public key to DNS
cat mail.txt  # -> TXT record under mail._domainkey.your-domain.com

Key Length

  • 1024 bit: Minimum, still accepted, but cryptographically marginal
  • 2048 bit: Standard, recommended
  • 4096 bit: Maximum security, but some DNS providers have issues with TXT record length (>255 characters require splitting)

From the benchmark: only 31% have DKIM — and of those, approximately 60% still use 1024-bit keys. We recommend upgrading to 2048 bit.

Common Mistakes

1. Forgetting DKIM for third-party senders. Every service that sends emails on your behalf needs its own DKIM selector: Google Workspace, newsletter tool, ticketing system, CRM. Each gets its own selector._domainkey record.

2. Never rotating keys. DKIM keys should be rotated every 6-12 months. Most providers do this automatically — but verify it.

3. DKIM without DMARC. DKIM alone only verifies the signature. Without DMARC, it does not tell the recipient what to do with unsigned emails.

Check Your Email Security

SiteGuardian checks SPF, DKIM (including key length and selector detection), DMARC, and STARTTLS:

https://siteguardian.io/scan

Next week in Part 7: X-Content-Type-Options and Referrer-Policy — two headers, five minutes, measurably better protection.

How does your website compare?

SiteGuardian scans your domain across six security dimensions — free, instant, no registration.

Scan your website

EU Web Security: 10 Steps to a Better Rating

This article is part of a weekly series on EU web security best practices.

SiteGuardian

2026-05-18

RSS