DomainKeys Identified Mail is a complicated email authentication protocol.  It’s hard to find one place that describes how it works.

DKIM allows you to take responsibility for sending email in a way that is verifiable by others.  This verification happens through cryptographic authentication.  There are several steps.

First, the sender decides which parts of the email they want to include in the signing process.  This can be the entire message or only one field of the header.  The element or elements they include must remain unchanged in transit.  Otherwise, the email will fail authentication.

Second, the sender's email server creates a hash of the elements selected for signing.  That hash string gets encrypted using a private key that only the sender has access to.  After encryption is complete, the email gets sent.

Third, the recipient sees that the email has a DKIM signature.  They run a DNS query to confirm it by finding the public key.  This key is the only match for the private key that signed the email.  It enables the recipient to decrypt the signature back to the original hash string.

Fourth, the recipient generates its own hash from the signed elements of the email.  It then compares it with the decrypted hash from the DKIM signature.  If they match, the recipient knows that the email is genuine and that it was not modified in transit.

DKIM signatures are an important method for limiting spam, spoofing and phishing.  They also ensure that the message was not tampered with during transmission.  

Because DKIM can be difficult to put in place, fewer senders have adopted it.  Thus, the absence of a DKIM signature does not mean the email is fraudulent.  It alone is not a reliable way of authenticating a sender.  Additionally, it does not prevent spoofing the visible “from” domain to an end user.

That is why using DMARC and SPF as well as DKIM is so important.  The three of them combine to form an effective anti-spam and anti-spoofing protection.  They guarantee that the domain visible to the end user is the same domain that sent the email.

For instructions on setting up DKIM in SmarterMail, please see this knowledge base article:

https://portal.smartertools.com/kb/a3465/how-to-create-a-dkim-record-in-smartermail.aspx