How does DKIM work?

DKIM allows for a sender to attach a digital signature to each message that is being sent. The receiver can then verify the message and can easily tell if the domain that claimed to sign the message actually did sign. A valid signature can be used to validate that the contents of the message have not been altered since it was signed. This means you can open the message with confidence that it was not intercepted and tampered with. Think of it like receiving an envelope that has been signed and verified by the post service and delivered to your door sealed and unopened.

The way DKIM works is by using Public-Key Cryptography Technology. For DKIM to work you need to have a "key pair". One is called the public key and the other is called the private key. The private key can be used to sign the message. This key is called the "private key" because the key should be secured to prevent others from obtaining and signing messages as our domain. .The public key, however, is used to verify the signature and can be viewed by anyone as it's published in DNS. The message is signed by the private key and publishes the public key in DNS for verification. The signature is included in the header of the message

DKIM Steps from the Sending Server

1. The sending host generates the public/private key pair to be used for signing outgoing messages (this step happens differently depending on the platform you have DKIM configured. Here is a list of providers supplied by DKIM.org. The public key is published in a DNS TXT record, and the private key is configured on the outbound email server (and not shared with anyone, as it is a private key after all).
2. When the email is sent with a DKIM signature, the server uses the stored private key to generate a digital signature of the message, which is then inserted in the message as a header and the email is sent as normal.

DKIM Steps taken by the Receiving Server

1. In order for the receiver to understand the DKIM signature, the receiver must be DKIM-enabled. The email server will then extract the signature and the "From: domain" from the email headers.
2. The public key is retrieved from DNS.
3. The public key is then used by the receiving mail server to verify it against the signature that was generated by the matching private key (If the public key does not match the private key then the message will be seen as fraudulent). A match determines that the email was truly sent from the domain as it can be paired and verified by the public DNS information for the domain in question. 
4. The receiving mail server applies any local policies based on the results of the signature verification.