Cherryrise
Try Cherryrise
Product
Shared inboxLive chatEmail deliverabilityAutomation & SLAsCustomer portalAI assistIntegrations
Solutions
E-commerceSaaSAgencies
Resources
BlogChangelogDocsGlossaryCompare
Company
PricingCustomersSecurity
Sign inTry Cherryrise
Glossary

DKIMDomainKeys Identified Mail

A cryptographic signature proving an email really came from your domain and wasn’t altered. Essential for support replies to pass spam filters.

DKIM (DomainKeys Identified Mail) lets a sender attach a digital signature to outgoing mail using a private key. The matching public key is published in DNS, so any receiver can verify the signature and confirm two things: the message was authorized by the signing domain, and the signed content wasn’t altered in transit.

How it works

  • The sending server hashes selected headers and the body, then signs that hash with a private key, adding a DKIM-Signature: header.
  • That header names the signing domain in its d= tag and a selector in its s= tag.
  • The receiver looks up the public key at selector._domainkey.signingdomain in DNS and checks the signature.
  • If the content was modified after signing, verification fails — that’s the tamper-evidence.

DKIM by itself proves a valid signature exists; it doesn’t require the signing domain to match the visible From: address. That match — “alignment” — is what DMARC adds on top.

Why it matters for support

Mailbox providers weight authenticated mail more favorably, so signing replies is one of the highest-leverage deliverability fixes and a prerequisite for DMARC. It works alongside SPF, which authorizes which servers may send for your domain, and unlike SPF it survives forwarding: because the signature travels with the message, a DKIM signature still verifies after a mailing list or a forwarded mailbox passes it along, where SPF often breaks. For example, a SaaS support desk whose replies were landing in spam often finds that publishing a DKIM record and signing from its own domain is what moves them back to the inbox. The plain-English version is in DKIM explained without the jargon, with the full set covered in SPF, DKIM and DMARC explained.

How Cherryrise handles it

Cherryrise signs outbound mail with BYODKIM — your own key under your own domain — so replies are signed as you, not as the sending provider. The setup walkthrough is in the deliverability guide.

See it in Cherryrise

See email deliverability →

Related terms

SPF
Glossary term
DMARC
Glossary term
BYODKIM
Glossary term
Return-Path
Glossary term

Run support like an engineering team.

Free for 14 days. No card, no sales call to get started.

Try Cherryrise