DomainKeys Identified Mail (DKIM) Enablement in OTM/GTM (Doc ID 2513781.1)

Domain Keys Identified Mail (DKIM)
DKIM is a cryptographic signature-based method to authenticate email senders. With DKIM, email senders generate public and private key pairs. The public key is published to DNS records, and the matching private keys are stored in a sender's outbound email servers.

ISPs that authenticate using DKIM look up the public key in the public DNS record. ISPs can then verify that the signature in the email header was generated by the matching private key.

DKIM from Send to End
When an email sender whose email sending system has DKIM set up hits ‘send’ on an email, their email sending program calculates a cryptographic signature using their private DKIM key. That cryptographic signature is inserted in the outgoing email header, and the message is then sent on to the recipient. At any point along the way any of the email servers through which that email passes can validate that signature using the public key, as can of course the receiving system at the other end. If any part of the message covered by the signature seems suspicious, the signature won’t validate.

This means that spoofed email won’t authenticate, because it does not carry a valid DKIM signature. Using DMARC, it’s possible to tell the receiving system what to do with email messages like this that don’t pass validation; typically you would tell the receiving system on the other end to reject a non-validating message