DKIM, or DomainKeys Identified Mail, is an authentication method that attaches a digital signature to the headers of every message you send. The sending server signs selected headers and the body with a private key, and the receiving server retrieves the matching public key from your DNS to verify that signature.
The public key lives in a DNS TXT record at a special hostname called the selector, for example selector1._domainkey.example.com. Because only the holder of the private key can produce a valid signature, DKIM proves both that the message genuinely originated from an authorized system and that it was not tampered with in transit.
DKIM is one of the three pillars of modern email authentication alongside SPF and DMARC. Unlike SPF, which is tied to the sending IP, DKIM survives forwarding because the signature travels with the message. This makes it especially valuable for mailing lists and any path where messages are relayed before reaching the inbox.
For senders, using at least a 2048-bit key and rotating keys periodically is best practice. A broken DKIM signature — caused by a mangled record, an expired selector, or content modification by an intermediary — will fail DMARC alignment and hurt deliverability, so verifying your DKIM setup before a campaign is essential.