DKIM glossary

What does the d= tag mean in a DKIM signature?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

The d= tag in a DKIM-Signature names the signing domain (the SDID) — the domain taking responsibility for the message and where receivers fetch the public key. For DMARC, d= must align with the From: header domain, so it decides whether a passing DKIM signature actually helps you pass DMARC.

d= at a glance
Tagd (signing domain / SDID)
Valid valuesA domain you control and can publish a key under, e.g. example.com
DefaultRequired — a DKIM signature is meaningless without a signing domain.
Where it goesIn the DKIM-Signature header, alongside the s= selector.

How d= works

d= answers a single question: who is vouching for this message? It names the domain that signed it, and it tells the receiver where to look for the public key — <selector>._domainkey.<d-value>. The signature asserts that this domain takes responsibility for the message, and nothing more.

On its own, a valid signature only proves the d= domain signed the mail. DMARC adds the test that matters: it checks whether d= aligns with the domain in the visible From: header. Mail sent from you@example.com and signed with d=example.com aligns, so the DKIM leg of DMARC passes. Alignment can be strict or relaxed — see the adkim tag for the difference.

This is where the classic trap lives. An email service provider often signs your campaigns with its own domain — say d=esp-mail.com. DKIM passes, because the ESP's signature is valid, but DMARC fails alignment because d= isn't your From: domain. The fix is to configure custom-domain (branded) DKIM signing at the ESP so d= becomes your domain.

Correct record vs common mistake

Correct

From: you@example.com
DKIM-Signature: ...; d=example.com; s=s1; ...

The signing domain matches the From domain, so DKIM is aligned and DMARC's DKIM check passes.

Common mistake

From: you@example.com
DKIM-Signature: ...; d=esp-mail.com; s=s1; ...

The ESP signs with its own domain. DKIM verifies, but d= doesn't align with the From domain, so DMARC still fails — the reason to enable custom-domain signing.

Troubleshooting d=

IssueLikely causeFix
DKIM passes but DMARC failsd= is the ESP's domain, not aligned with the From domainEnable custom-domain DKIM at the sender so d= becomes your domain
Receiver can't find the public keyd= or the selector points at a domain with no published keyPublish the key at <selector>._domainkey.<d-domain> and let DNS propagate
Subdomain mail fails alignmentd= is the parent domain but From uses a subdomain under strict alignmentSign with a matching d=, or set DMARC adkim=r (relaxed) if the organizational domain is shared

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Every client that sends through a marketing platform, help desk, or invoicing tool risks this ESP-signs-with-its-own-domain trap. Across dozens of tenants it means DKIM looks green while DMARC quietly fails alignment — and you can't safely reach reject until each sender signs with the client's own d= domain.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade reads each client's reports to spot exactly which senders sign with the wrong d=, flags the ones failing alignment, and guides them onto custom-domain signing — so every legitimate source aligns before the domain moves to reject.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

It's the signing domain, or SDID — the domain that takes responsibility for the message and where the receiver fetches the public key to verify the signature.

Usually because d= doesn't align with the From domain. The signature is valid, so DKIM passes, but DMARC needs the signing domain to match the visible From domain — so it fails alignment.

For DMARC to pass on DKIM, yes — the d= domain must align with the From domain (an exact match under strict, or a shared organizational domain under relaxed).

Turn on custom-domain or branded DKIM at the ESP. You publish a key under your own domain, the ESP signs with d=yourdomain, and DKIM then aligns with your From address.

Related terms

What is DKIM? DomainKeys Identified Mail explained