DKIM for Cold Email: Signatures, Selectors, and Keys
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing message, letting the receiving server verify the mail genuinely came from your domain and was not altered in transit. For cold email it is non-negotiable: since February 2024, Google and Yahoo require it of bulk senders, and a missing or broken DKIM signature is one of the fastest ways to land in spam.
How DKIM signing works
When a mailbox sends a message, the sending server creates a hash of selected headers and the body, then encrypts that hash with a private key held only on the server. The result is attached to the message as a DKIM-Signature header.
The matching public key lives in your domain’s DNS as a TXT record. When the message arrives, the receiving server reads the signature, fetches the public key from DNS, and checks that the two agree. If they do, two things are proven: the message came from a sender authorised for that domain, and the signed parts were not tampered with along the way.
That second guarantee is what separates DKIM from SPF. SPF checks which servers are allowed to send; it says nothing about whether the message itself was changed. DKIM signs the content, so a forwarded or modified message fails the check.
What a DKIM signature actually contains
The DKIM-Signature header is a set of tag-value pairs. A few matter for understanding what is happening:
| Tag | Meaning | Typical value |
|---|---|---|
v | Version | 1 |
a | Signing algorithm | rsa-sha256 |
d | The signing domain | yourdomain.com |
s | The selector | selector1 |
h | Which headers were signed | from:to:subject:date |
bh | Hash of the body | base64 string |
b | The signature itself | base64 string |
The d and s tags together tell the receiver exactly where to find the public key. Everything else lets it reproduce the hash and compare.
Selectors: why one domain can hold several keys
A selector is a label that points to a specific public key. The receiver combines the selector with your domain to build a DNS lookup: a signature with s=selector1 and d=yourdomain.com sends the receiver to selector1._domainkey.yourdomain.com.
Because the selector is part of the lookup, a single domain can publish multiple keys side by side, each under its own selector. This is what makes two things possible:
- Rotation without downtime. You publish a new key under a new selector, switch signing to it, and retire the old one once no mail still references it.
- Multiple sending sources. A platform that sends on your behalf can use its own selector while another tool uses a different one, all on the same domain.
For cold email running on dedicated sending domains, each domain carries its own DKIM key under a selector, published when the domain is set up.
Key length: use 2048-bit
DKIM keys are RSA key pairs, and length is the main strength setting you choose. The practical standard today is 2048-bit.
- 2048-bit — the expected default. Strong, widely supported, what most receivers want to see.
- 1024-bit — still validates and is technically permitted, but cryptographically weaker and increasingly seen as dated.
- 512-bit — too weak; many receivers treat it as no signature at all.
There is a real-world wrinkle: a 2048-bit public key can exceed the 255-character limit of a single DNS TXT string. The record is then split into multiple quoted strings inside one TXT entry, which DNS concatenates. Most registrars and managed setups handle this for you, but a key that was pasted as a single overlong string is a common reason DKIM silently fails to resolve.
Key rotation
Rotation means replacing your DKIM key pair on a schedule, so that a key that is ever exposed has a limited useful life. There is no mandated interval; many operators rotate somewhere between every few months and once a year.
Selectors make rotation clean. The sequence is: publish the new public key under a fresh selector, begin signing with the new private key, wait until no in-flight mail still uses the old selector, then remove the old DNS record. Done this way, signing never stops and no message goes out unsigned.
If your sending infrastructure is managed, the private key is held server-side and rotation happens without you editing DNS. Then the thing to check is not the schedule but whether DKIM is passing on every send. Verify it by reading the Authentication-Results header on a received message, or use our SPF, DKIM, and DMARC setup checklist.
DKIM, DMARC, and the limits of authentication
DKIM rarely works alone. DMARC reads the DKIM (and SPF) result and decides what a receiver should do when authentication fails, plus where to send reports. DKIM also enables alignment: DMARC passes when the signing domain in the d tag matches the domain in the visible From address.
But passing DKIM only proves a message is authentic and unaltered. It does not make mail wanted, and it does not make it lawful. Deliverability still rests on reputation, engagement, and complaint rate, and legality depends on the recipient’s jurisdiction — Germany’s UWG §7(2) generally requires prior opt-in for advertising email, including B2B. Authentication gets you considered, not delivered, and never substitutes for consent.
How Mailionaire approaches this
When we provision a sending domain, DKIM is generated, published, and aligned with SPF and DMARC as part of the build — one isolated Microsoft 365 tenant per domain, with the private key held on our side so rotation never lands on your DNS. Billing stays simple at $50 per active domain per month, and our monitoring replaces mailboxes and domains as they wear out. See how it works for the full setup path.
FAQ
What DKIM key length should I use for cold email?
Use a 2048-bit RSA key. It is the practical standard receivers expect, and most providers default to it. A 1024-bit key still validates but offers weaker cryptographic strength and looks dated to some receivers. Avoid 512-bit keys entirely, as many systems treat them as a failure.
How often should I rotate DKIM keys?
There is no universal rule. Many operators rotate every few months to a year. If your DKIM is managed for you and the private key is held server-side, rotation is handled automatically and you do not need to touch DNS. The more important task is confirming DKIM actually passes on every send.
What is a DKIM selector?
A selector is a label that points a receiver to the right public key in your DNS. It appears in the signature as s=selector1 and tells the receiver to look up selector1._domainkey.yourdomain.com. Selectors let one domain publish several keys at once, which makes rotation and multiple sending sources possible.
Does passing DKIM make cold email legal?
No. DKIM is a technical authentication check, not legal permission. Legality depends on the recipient's jurisdiction. Germany's UWG §7(2) generally requires prior opt-in for advertising email, including B2B, and the sender is responsible regardless of how mail is authenticated. This is not legal advice.
Mailionaire provisions real, isolated Microsoft 365 mailboxes for cold email — built in Switzerland, with optional EU/Swiss data residency — then monitors and replaces them as they wear out. One flat price per domain. See how it works →