DKIM — DomainKeys Identified Mail — adds a cryptographic signature to every email sent from your domain. The receiving mail server uses a public key published in your DNS to verify that the email was actually sent by you and was not modified in transit. A DKIM pass tells Gmail, Outlook, and other receiving servers that the email is legitimate and has not been spoofed or tampered with.
How DKIM Works in Cold Email
When your cold email sending platform sends an email, it signs the message headers and body with a private key stored in its systems. The receiving server retrieves your domain's public DKIM key from DNS and uses it to verify the signature. If the signature matches, DKIM passes. If not — or if no DKIM key exists — the email fails authentication and is more likely to be filtered as spam.
How to Add DKIM for a Cold Email Domain
Most cold email platforms and email hosting providers generate DKIM keys in their settings. Google Workspace generates a DKIM key from Admin Console under Apps, Google Workspace, Gmail, Authenticate email. The key is a TXT or CNAME record you add to your domain's DNS at a specific selector subdomain (like google._domainkey.yourdomain.com). Saleshandy and Instantly each have their own DKIM configuration in their domain authentication settings.
Why DKIM Failure Destroys Cold Email Performance
Gmail's spam filtering models heavily weight authentication signals. Emails that pass SPF but fail DKIM get treated with heightened suspicion. A campaign sending 500 emails per day from a domain with no DKIM will see inbox placement rates 30 to 50 percent lower than an identical campaign from a DKIM-authenticated domain. For cold email specifically — where the sender has no prior relationship with the recipient — authentication signals carry extra weight.
Omni configures DKIM on every sending domain as part of the standard infrastructure setup. The full authentication stack is covered in the cold outbound system overview.