DKIM for Agents
DomainKeys Identified Mail signing applied to email sent by AI agents, so recipients can verify the message actually came from the agent's authorized domain — not a spoofed lookalike.
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication standard that lets a sender attach a cryptographic signature to every outgoing message. The signature is generated with a private key the sender controls; the corresponding public key is published in DNS under the sender's domain. When mail arrives, the receiving server fetches the public key, verifies the signature, and gains a strong guarantee that the message was authorized by whoever controls the domain.
Together with SPF and DMARC, DKIM is the difference between a message landing in the inbox and landing in spam — or being silently rejected. For human-operated mailboxes this is plumbing handled by Gmail or Microsoft 365. For AI agents sending mail from their own identity, it has to be set up explicitly.
Why agent email specifically needs DKIM
Agents send mail at higher volumes and in more automated patterns than humans. To a spam filter, an unsigned message from a brand-new sender that looks templated is the textbook signature of a phishing campaign. Without DKIM, your agent's first ten emails train every major provider to flag everything that follows.
There is a second reason: spoofing. If your agent communicates with customers from agent@yourcompany.com but you have not authorized DKIM signing for that subdomain, an attacker can send a message from the same address that arrives looking identical. DKIM is the only mechanism that lets recipients tell a real agent message from a forged one.
DKIM, SPF, and DMARC together
DKIM verifies the message wasn't tampered with and was signed by someone who controls the domain. SPF declares which servers are allowed to send mail for the domain. DMARC ties the two together and tells receiving servers what to do when authentication fails — quarantine, reject, or report.
An agent email setup that only does one of the three is a setup that will eventually drift into the spam folder. The full trio — SPF + DKIM + DMARC, all aligned to the sending domain — is what produces deliverability that actually works at agent volume.
How Loomal handles DKIM for agents
Loomal signs every outbound message from an agent identity with DKIM, on the agent's loomal.ai address by default. Customers using a custom sending domain configure SPF, DKIM, and DMARC records once during onboarding; Loomal manages key rotation and per-agent signing thereafter.
Inbound mail to an agent identity is also DKIM-verified, so the agent can trust who actually sent the message it's about to act on. This matters for agents that take action based on email content — a verification code, a refund request, an approval — because it stops the obvious attack of forging a message from a trusted sender to manipulate the agent.
Loomal primitives
mail.sendmail.replyRelated terms
See it in production
More from the glossary
Agent 2FA (TOTP)
Time-based one-time password generation that lets an AI agent complete two-factor authentication on services that require it — without borrowing a human's phone or authenticator app.
Agent Email
A routable email address that belongs to an AI agent — not a forwarding alias, not a shared team inbox, but a first-class mailbox the agent sends from and receives into on its own.
Agent-to-Agent Email
Using standard SMTP email as the transport between AI agents — one agent sends a message to another agent's mailbox, and the recipient reads and acts on it. The simplest interoperable A2A protocol that already exists.
Delegation Chain
A cryptographic record of who authorized an AI agent to act, what scopes were granted, and who any sub-agents inherit from. Severing the root revokes everything below it.
Build agents with their own identity.
Email, vault, and TOTP — provisioned in 30 seconds.
Get API Key — FreeLast updated: 2026-04-14