DKIM

DomainKeys Identified Mail (DKIM) is a DNS-based mechanism that lets a receiving mail server cryptographically verify that a message really came from your domain and wasn't tampered with in transit. The sending mail server signs outgoing messages with a private key; receivers fetch the matching public key from a DNS record at selector._domainkey.yourdomain.com and verify the signature. In Microsoft 365, DKIM is enabled per-domain in the Defender portal, with two selectors (selector1 and selector2) for key rotation. Microsoft auto-rotates the keys. Combined with SPF and DMARC, DKIM is essential for email deliverability and anti-spoofing.