DKIM (DomainKeys Identified Mail) is a way to verify that an email actually came from your domain and wasn’t altered in transit.
When an email is sent, your mail server signs it with a private key. The receiving server checks that signature against a public key stored in your DNS. If they match, the email is considered authentic.
It doesn’t encrypt anything and it doesn’t stop spam by itself. What it does is prove that the message hasn’t been tampered with and that it really came from your domain.
When DKIM is working, you don’t notice it. Emails land normally. When it’s broken or missing, you start seeing problems like messages going to spam, Gmail showing “via” another domain, or replies never showing up.
Most issues come from missing or improperly configured DNS records, mismatched selectors, or multiple systems sending email without proper signing. It also breaks after domain or provider changes if nobody rechecks the setup.
You can check it by sending yourself an email and viewing the headers. If it says “DKIM: PASS,” you’re good. If it says FAIL or NONE, there’s a problem.
DKIM is one of the three core pieces of email trust, along with SPF (who can send) and DMARC (what to do when something fails).
Without DKIM, your email is much more likely to be treated as untrusted and dumped in the spam folder, even if everything else looks fine.