DKIM (DomainKeys Identified Mail) is an open standard for e-mail authentication that cryptographically “signs” an e-mail, helping verify that its sender’s address hasn’t been forged (spoofed) and its message hasn’t been tampered with in transit.

This record can be added to each e-mail message by a sending server.   The sending server needs a DKIM record in the domain.    Other e-mail servers that support DKIM and see the message look for this record in the domain to validate the message.   

A DKIM record example looks like the following:

<selector>._domainkey.example.com  TXT  "v=DKIM1; r=rsa; p="xxxxx a very long value"

_domainkey.example.com  TXT "v=DKIM1; t=y; o=~"

In this example the <selector> is a placeholder.  It is a text value that is known by the sending server that DKIM signs each outbound message.  That process places a header in the message that tells other servers to use this selector to look at the domain's DNS to perform the DKIM validation.

Both the DKIM and SPF records are used for DMARC alignment.

DMARC, or "Domain-Based Message Authentication, Reporting, and Conformance", is an e-mail authentication protocol designed to protect an e-mail domain from being used for e-mail spoofing.  It uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine the authenticity of an e-mail message.

Simply put, it allows e-mail senders to specify how to handle e-mails that were not authenticated using SPF or DKIM.  Senders have the option to either send those e-mails to the junk folder or have them blocked altogether.

A DMARC record example looks like the following:

_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.com;"

This example illustrates a policy of none which informs DMARC-able servers to apply no specific treatment.   Alternatively, there are policy values of quarantine and reject.   A quarantine action means placing messages in a junk/spam folder and/or placing messages in a queue for review and release.    A policy of reject informs the server to apply strict enforcement and it can reject the message.

Also, this example illustrates reporting which informs DMARC-able servers to report activity to the specified e-mail address.  It is common practice to specify an e-mail address within the same domain and point it to an alias or list if you wish to send the reports to multiple people or to an e-mail address is in another domain.   Note: Using an e-mail address that is in a different domain require additional DNS records for DMARC to consider the address valid.