DKIM is an internet standard that is one of the two ways you can authenticate emails for the purposes of DMARC. It can be used to prove not only that an email is from who it says it is from but also that the email has not been modified in transit.

DKIM consists of an encrypted hash value (also called a DKIM signature) that is placed in the headers of emails. A DKIM signature is associated with a domain and for DMARC purposes, the DKIM domain must be the same as the From address of the email.

The hash value is generated by the sending system using components of the email (Subject, date, From address, To address etc.) and the hash is encrypted with the Private key to generate an encrypted hash value.

When the recipient's email system receives an email with a DKIM signature, it will attempt to verify the email. Part of the information in the header is the components used to generate the hash. The receiving server will know from the email which domain the encrypted hash is associated with, the DKIM selector which is used to identify the proper key in DNS and the components of the email that were used to generate the hash.

The receiving server will then generate a hash using the same criteria as the sending server.  The receiving system will then do a DNS lookup to find the Public key associated with that DKIM signature. The receiver will decrypt the original hash value from the email header using the public key and if the hash it generated matches the decrypted hash value from the email, the email is successfully authenticated.