DKIM adds a digital signature to every email your school sends. Receiving mail servers use this signature to verify the message was genuinely sent by you and hasn't been altered in transit.
DomainKeys Identified Mail (DKIM) is an email authentication method that uses public-key cryptography to sign outgoing emails. It proves two things:
Unlike SPF — which verifies the sending server's IP address — DKIM attaches a cryptographic signature directly to the message itself.
TXT recordThe signature is added as a header the recipient never sees:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourschool.edu.ph; s=google; h=from:to:subject:date; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=ABC123...
The public key DNS record looks like:
google._domainkey.yourschool.edu.ph TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
SPF verifies the sending server, but an attacker who compromises a legitimate sending server (or uses a misconfigured relay) can still pass SPF while sending fraudulent email. DKIM's cryptographic signature cannot be forged without the private key.
If an attacker intercepts your email in transit and modifies it (changes a bank account number, edits instructions), DKIM verification will fail at the destination — alerting the recipient's mail system.
DMARC — the policy that actually enforces email authentication — requires at least one of SPF or DKIM to pass with proper alignment. Without DKIM, your DMARC protection is weaker and more fragile.
Gmail, Outlook, and other providers use DKIM as a trust signal. School emails without DKIM are more likely to land in spam, which means important communications (report cards, emergency notices, enrollment confirmations) may not reach parents.
DKIM setup depends on your email provider. Most generate the key pair for you.
TXT record valueTXT record with the name google._domainkeyCNAME records to add to your DNSAfter setup, send a test email to a Gmail address and click the three dots → Show original. Look for:
DKIM: 'PASS' with domain yourschool.edu.ph
Or use a free tool like MXToolbox DKIM Lookup to verify your DNS record is correct.
The Site Scanner also checks whether your domain has DKIM configured.