DKIM (DomainKeys Identified Mail) signs every message you send with a private key, and receivers verify that signature against a public key in your DNS. A valid signature proves the message came from your domain and was not changed in transit. Here is how to turn it on.
Step 1: generate the key in your sending platform
DKIM keys are created by the service that sends your mail, not by hand. In Google Workspace, Microsoft 365, SendGrid, Mailchimp and the rest, there is a DKIM or domain authentication section that generates a key and gives you the DNS records to publish. Ask for a 2048-bit key where you can choose, since 1024-bit is weak.
Step 2: publish the DNS records
The platform gives you one or more records to add, usually CNAME or TXT, at a selector under _domainkey. For example:
selector1._domainkey.yourdomain.com
The selector is just a label that lets you rotate keys later. Publish exactly what the provider shows you.
Step 3: enable signing
Publishing the record is not enough. You must also switch DKIM signing on inside the platform. Some providers wait until the DNS record is visible before they let you enable it.
Step 4: verify it works
Send a test message and check the headers for a DKIM signature with a dkim=pass result, or scan your domain. Note that DKIM selectors cannot be discovered from DNS, so a scanner can only confirm the common ones. If yours uses a custom selector, the surest check is a real message.
Reads public DNS only. Nothing is stored unless you save the domain to an account.
DKIM proves integrity, but it needs DMARC to enforce a policy and require alignment. Set that up next.