DKIM glossary
What does the d= tag mean in a DKIM signature?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
The d= tag in a DKIM-Signature names the signing domain (the SDID) — the domain taking responsibility for the message and where receivers fetch the public key. For DMARC, d= must align with the From: header domain, so it decides whether a passing DKIM signature actually helps you pass DMARC.
d= at a glance | |
|---|---|
| Tag | d (signing domain / SDID) |
| Valid values | A domain you control and can publish a key under, e.g. example.com |
| Default | Required — a DKIM signature is meaningless without a signing domain. |
| Where it goes | In the DKIM-Signature header, alongside the s= selector. |
How d= works
d= answers a single question: who is vouching for this message? It names the domain that signed it, and it tells the receiver where to look for the public key — <selector>._domainkey.<d-value>. The signature asserts that this domain takes responsibility for the message, and nothing more.
On its own, a valid signature only proves the d= domain signed the mail. DMARC adds the test that matters: it checks whether d= aligns with the domain in the visible From: header. Mail sent from you@example.com and signed with d=example.com aligns, so the DKIM leg of DMARC passes. Alignment can be strict or relaxed — see the adkim tag for the difference.
This is where the classic trap lives. An email service provider often signs your campaigns with its own domain — say d=esp-mail.com. DKIM passes, because the ESP's signature is valid, but DMARC fails alignment because d= isn't your From: domain. The fix is to configure custom-domain (branded) DKIM signing at the ESP so d= becomes your domain.
Correct record vs common mistake
Correct
From: you@example.com
DKIM-Signature: ...; d=example.com; s=s1; ...The signing domain matches the From domain, so DKIM is aligned and DMARC's DKIM check passes.
Common mistake
From: you@example.com
DKIM-Signature: ...; d=esp-mail.com; s=s1; ...The ESP signs with its own domain. DKIM verifies, but d= doesn't align with the From domain, so DMARC still fails — the reason to enable custom-domain signing.
Troubleshooting d=
| Issue | Likely cause | Fix |
|---|---|---|
| DKIM passes but DMARC fails | d= is the ESP's domain, not aligned with the From domain | Enable custom-domain DKIM at the sender so d= becomes your domain |
| Receiver can't find the public key | d= or the selector points at a domain with no published key | Publish the key at <selector>._domainkey.<d-domain> and let DNS propagate |
| Subdomain mail fails alignment | d= is the parent domain but From uses a subdomain under strict alignment | Sign with a matching d=, or set DMARC adkim=r (relaxed) if the organizational domain is shared |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Every client that sends through a marketing platform, help desk, or invoicing tool risks this ESP-signs-with-its-own-domain trap. Across dozens of tenants it means DKIM looks green while DMARC quietly fails alignment — and you can't safely reach reject until each sender signs with the client's own d= domain.
Trusted by MSPs
“Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.”
Alvin Kalli — CSIO, MSP Corp

































Enforce it — don't just monitor it
Palisade reads each client's reports to spot exactly which senders sign with the wrong d=, flags the ones failing alignment, and guides them onto custom-domain signing — so every legitimate source aligns before the domain moves to reject.
Free 15-day trial · No credit card · Your own domain free forever (NFR)