DomainKey Identified Mail

DKIM is a way for email servers to verify the authenticity of a email using asymmetric cryptography keys.

While SPF tells us what IP addresses and domains are allowed to send email from your domain, that's a fairly coarse protection. If you have authorized all Mailchimp servers to send emails from your domain, what's to stop someone else using Mailchimp to send emails from your domain? That's where DKIM enters.

It's cryptography

DKIM uses asymmetric keys to cryptographically verify the sending server. If you think that sounds complex, don't worry - it is complex but our email servers handle everything for us.

DKIM for your domains consists of 2 keys: A public one and a private one. The public key is added to a DNS record where everyone can look it up while the private key never leaves the sending server (because it's private).

Each email sent from the server contains a header with a signature generated using the private key and instructions where to find the public key. The receiving server can then look up the public key, which it uses to verify the signature in the email.

If the signature matches the public key we know the signature has been generated by a server knowing the private key, and since only the authorized servers know the private key, the email is sent from a legit server.

DKIM cannot stand alone

DKIM only works if the DKIM header is present in the email. This means a bad actor could just not include that header in the email, which means DKIM would never be checked.

A receiving email server cannot use DKIM alone to reject emails. If an email passes DKIM that's a very strong signal that the email is legit, however if it doesn't it is at best a neutral signal.

However if you enable DMARC for your domain you are telling email servers that they should expect all your legit emails to include a DKIM header, thus they have to pass the DKIM signature verification.