In the context of email security, DKIM (DomainKeys Identified Mail) is a protocol that uses digital signatures to authenticate the sender of an email message and to prevent tampering with the message while it is in transit.
A DKIM signature is a cryptographic hash that is calculated using the contents of an email message and a private key that is known only to the sender's domain. The signature is then attached to the email message as a DKIM-Signature header, which can be verified by the recipient's mail server using the sender's public key (which is published in the sender's DNS records).
When an email is sent, the sender's mail server adds a DKIM-Signature header to the message, which includes the signature and other metadata (such as the algorithm used to calculate the signature and the domain name of the sender). The recipient's mail server can then use the domain name in the DKIM-Signature header to retrieve the sender's public key from DNS and use it to verify the signature. If the signature is valid, the recipient's mail server can be confident that the message was sent by the domain claimed in the DKIM-Signature header and that the contents of the message have not been altered.
The DKIM protocol allows for the use of multiple signatures on a single email message, which can be useful for situations where an email message is passed through multiple mail servers (each of which can add its own signature). This is often referred to as "split DKIM" or "multiple DKIM signatures". This allows each mail server in the path of the email to add its own signature to the message, providing a chain of trust from the sender to the recipient.