**DKIM** is one of the trio of Authentication methods ([[SPF]], DKIM and [[DMARC]]) that help prevent attackers from sending messages that look like they come from your domain. DKIM lets you add a digital signature to outbound email messages in the message header. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message using cryptographic authentication. In basic, a [[private key]] encrypts the header in a domain's outgoing email. The [[public key]] is published in the domain's [[HPS - DNS]] records, and receiving servers can use that key to decode the signature. # How DKIM works better than [[SPF]] alone to prevent malicious spoofing [[SPF]] adds information to a message envelope but DKIM _encrypts_ a signature within the message header.  In this example, if you had only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. **The addition of DKIM in this scenario reduces _false positive_ spam reporting.** Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than [[Sender Policy Framework (SPF)|SPF]].