DomainKeys is an email authentication method through which emails are digitally signed on a domain basis. Unlike other methods, DomainKeys offers end-to-end integrity of the message, i.e. it can verify that an email has not been modified in transit.
DomainKeys is closely related to DKIM (DomainKeys Identified Mail), which is a result of merging DomainKeys and Identified Internet Mail. In many cases, however, the two terms are used interchangeably.
Here is a short explanation of how DomainKeys works:
The owner of the domain generates a private/public key pair which will be used to sign messages sent from that domain. The public key is placed in the DNS zone of the domain as a TXT record. The private key is kept on the mail server which is used as outgoing mail server for the domain.
When you send an email, the outgoing server will digitally sign it using your private key. The digital signature is added in the
DomainKeys-Signature header in the sent email.
When your email is received, the recipient can then verify your DomainKeys signature using the public key in your domain's DNS. If the signature matches, this means that you have validated both the sending domain and that the message has not been changed in transit.
Note that DomainKeys does not directly prevent or report malicious behavior. It is an email authentication method and it does not itself filter and/or identify spam. Thus, it is recommended to use DomainKeys with a spam-prevention method such as SPF records.