Cold email glossary
DKIM (DomainKeys Identified Mail)
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to each outgoing message. Receiving servers verify the signature against a public key published in the sender's DNS, confirming the message came from that domain and was not altered in transit.
What is dkim (domainkeys identified mail)?
When a message is sent, the sending server signs a hash of the body and selected headers with a private key and attaches the result as a DKIM-Signature header. The receiving server reads the signing domain (the d= tag) and the selector (the s= tag) from that header, fetches the matching public key from a TXT record at selector._domainkey.yourdomain.com, and verifies the signature. A valid signature proves two things: the message was authorized by the domain in the d= tag, and its signed content was not modified after signing.
The selector exists so a domain can publish multiple keys at once, which makes key rotation possible without downtime. Keys are usually RSA pairs, and 2048-bit RSA keys are the practical standard where the DNS host supports them. The d= domain matters beyond verification: it is one of the two identifiers DMARC checks for alignment with the visible From address, and it is a primary handle mailbox providers use to attach reputation history to a sender.
DKIM closes a gap SPF cannot: because the signature travels inside the message, it usually survives forwarding, where SPF breaks. But a valid DKIM signature only proves origin and integrity, not trustworthiness. Spammers sign their own mail too. And DKIM alone does not stop someone from putting your domain in the visible From header while signing with their own; preventing that requires DMARC, which insists the From domain align with the domain that passed DKIM or SPF.
Why it matters in cold email
Google and Yahoo's published bulk sender guidance requires DKIM, so for any serious cold email program it is not optional. Just as important, a consistent DKIM signature is how mailbox providers build a reputation file on your sending domain. Mail that arrives unsigned, or with a broken signature because something modified the message in transit, is judged with less history and more suspicion, which is exactly what a cold email to a stranger cannot afford.
How Sendful handles it
Sendful generates DKIM keys and publishes the records for every dedicated sending domain it provisions for a client, alongside SPF and DMARC, before warmup starts. Automated health checks confirm signatures keep validating throughout the engagement, and your primary domain is never used to send outreach.
Do I need both SPF and DKIM for cold email?
Yes. They prove different things: SPF authorizes the sending server, DKIM proves the message content came from your domain unaltered. Google and Yahoo's bulk sender guidance asks for both, and DMARC needs at least one of them to pass with an aligned domain. Configure both on every sending domain.
What is a DKIM selector?
A selector is the label that tells receivers where to find the public key in DNS, at selector._domainkey.yourdomain.com. It lets one domain publish several keys at once, so platforms can issue their own keys and you can rotate keys without breaking verification of mail already in transit.
Does DKIM stop email spoofing?
Not by itself. DKIM proves a message was signed by a particular domain, but it does not require that domain to match the From address a recipient sees. Stopping spoofing of your visible From domain takes DMARC, which checks that the From domain aligns with the domain that passed DKIM or SPF and tells receivers what to do when it does not.
Book a call
Done reading? We run all of this for you.
Book a call and leave with a custom outbound plan, your ICP, opening sequences, and a deliverability check, whether or not we work together.