What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to every email you send. Think of it as a wax seal on a letter—it proves the email came from you and hasn’t been altered in transit.
How DKIM Works
When you send an email, your mail server adds an encrypted signature to the message header. The receiving server then checks your DNS for a public key and uses it to verify the signature. If they match, the email is authenticated.
This cryptographic verification is nearly impossible to fake, making DKIM a powerful tool against email impersonation.
Why DKIM Matters for Shopify Merchants
Your customers rely on email communications from your store:
- Order confirmations with transaction details
- Shipping updates with tracking links
- Password reset emails with sensitive links
- Promotional emails that drive revenue
Without DKIM, attackers can modify these emails or send convincing fakes. Customers might click malicious links thinking they’re from your Shopify store.
Setting Up DKIM for Common Email Services
Shopify
Shopify handles DKIM automatically for emails sent through their platform. No configuration needed for standard order notifications.
Klaviyo
- Go to Account > Settings > Domains
- Add your sending domain
- Copy the DKIM record provided
- Add it to your DNS as a TXT record
Mailchimp
- Navigate to Website > Domains
- Authenticate your domain
- Add the DKIM records Mailchimp provides to your DNS
Google Workspace
- Go to Admin Console > Apps > Google Workspace > Gmail
- Select “Authenticate email”
- Generate DKIM key and add to DNS
DKIM Selector and Key Rotation
DKIM records use “selectors”—unique identifiers that allow multiple DKIM keys for one domain. For example:
selector1._domainkey.yourstore.comklaviyo._domainkey.yourstore.com
Different email services use different selectors, so you can have DKIM set up for multiple platforms simultaneously.
Troubleshooting DKIM Failures
Record Not Found
The DKIM DNS record doesn’t exist. Double-check that you added it to the correct subdomain and that DNS has propagated.
Signature Mismatch
The email was modified after sending, or the wrong key is being checked. Verify the selector matches what your email service expects.
Key Too Short
Some older DKIM keys use 1024-bit encryption. Many email providers now require 2048-bit keys for stronger security.
How Recon Helps
Recon monitors your DKIM configuration by:
- Verifying DKIM records exist for all your email services
- Checking that keys meet modern security standards
- Alerting you if DKIM validation fails
- Guiding you through DKIM setup for common Shopify integrations
FAQ
Q: Do I need DKIM if I already have SPF?
A: Yes. SPF and DKIM serve different purposes. SPF verifies the sending server; DKIM verifies the message itself. Both are needed for complete email authentication.
Q: Will DKIM slow down my email delivery?
A: No. The signature verification happens in milliseconds and doesn’t noticeably affect delivery speed.
Q: How do I know if my DKIM is working?
A: Send a test email to a service like mail-tester.com, or check the email headers in Gmail (click “Show original”). Look for “DKIM: PASS” in the authentication results.
Want us to monitor this for you?
Run a free brand security audit with Recon and see your vulnerabilities in minutes.
Run Free AuditRelated Articles
DMARC: Email Authentication Explained
Understand DMARC and how it prevents email spoofing to protect your Shopify brand from phishing attacks.
Email Spoofing: When Criminals Impersonate Your Shopify Store
Discover how scammers send fake emails from your domain and the steps to stop email spoofing attacks.
SPF Records: Authorizing Email Senders for Your Shopify Domain
Learn how SPF records tell email servers which services can send email on behalf of your Shopify store.