We help IT Professionals succeed at work.

DKIM....should you use it?

Last Modified: 2020-04-28
Hello Experts,

If DKIM is such a good thing to implement, why don't microsoft.com, google.com, or yahoo.com implement it?

I see they all have SPF and DMARC, but not DKIM.

Thank you
Watch Question

Dr. KlahnPrincipal Software Engineer

The main reason that DKIM is not generally used is this:  If it was mandated and strictly implemented by these big players, it would result in denial of otherwise valid email emanating from improperly configured sites.  If Yahoo, gmail or Microsoft did this then their user-base would go to some other email service provider.

There are just too many little "mom-and-pop" sites out there with email configured just barely well enough to send outgoing messages.

The flip side of this is that if the big players mandated and required DKIM, it would become a worldwide standard right quick.  But the up-front cost in lost email and lost customers would be very, very high and a customer who leaves in anger is unlikely to return.

As time goes on this may change, but at this time (a) spam filtering is about good enough to handle most suspicious messages and (b) the price paid for requiring valid DKIM on all messages would be too high.


Understand, but if my DKIM is properly configured in DNS and all my outgoing mail is signed with private key, that can possible be misconfiguered on the receiving side?

Dr. KlahnPrincipal Software Engineer

When someone "cookbooks" a configuration from a not-necessarily-excellent example without understanding it, any software product can be misconfigured.  And this is how many small sites are configured - by people who have never done this, will never do it again, and are cookbooking from an example.


Yes I understand what you are saying about the cookbooks and how no one know what they are doing...

I am sure Microsoft, Google, and Yahoo have competent people to set up a DNS record and enable DKIM on their email server. The question is why aren't they doing it to protect themselves? All receiving mail server just have the burden of checking the DKIM, but that is their burden to check, they can't mess something up on their side as far as config as far as I know.....that's what I don't get,

Thank you.
Fractional CTO
Distinguished Expert 2019
This one is on us!
(Get your first solution completely free - no credit card required)
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.