DKIM adds a digital signature to outgoing emails using the domain's private key. Recipients verify using the public key in DNS TXT records — proving the email wasn't modified in transit.
DKIM verifies the email wasn't modified. SPF verifies the sending server is authorized. DMARC uses both to enforce policy. Without DKIM, email bodies can be modified in transit without detection. Rotate DKIM keys annually or when compromised.