DomainKeys Identified Mail (DKIM) standard has been created for the same reason as SPF – to prevent spammers from impersonating you as an email sender. It’s a method to additionally sign your emails in a way that will allow the receiving system to check if the sender was really you or not.

Technically speaking, DKIM authentication provides a method for validating a domain’s identity that is associated with a message through cryptographic authentication.

It does this by using an encrypted key pair (one public in DNS and one private) to add a digital signature to every outgoing email message.

Receiving email systems use the public DKIM signature to both validate the authenticity of the sender and to identify if the message was changed or altered during transit. DKIM-signed messages provide recipients with trust that the message is authentic and is not being spoofed.

DKIM message signatures are incorporated into custom message headers that conform to the internet standard for message syntax. This means any SMTP server implementation that supports DKIM automatically processes messages with DKIM signatures in the email header by attempting to authenticate the signature.

DKIM authentication enables domain owners to specify different signing keys for use by different email service providers. Those keys could be internal to the sending organization – for instance mail sent from remote branches or subsidiaries – or they could be used by commercial/marketing email service providers to send mail on behalf of the domain owner.

The private key of a DKIM domain key pair must be held securely by whoever controls the email server. The public key must be published in DNS as a TXT record,  so that any email service who receives a message from the domain can easily retrieve them and apply verification.