In order to sign a DKIM record, the sender must identify which fields they want to include in the signature. These fields include the sender's "from" address, the body, the subject, and many others. DKIM authentication will fail if these fields do not remain unchanged in transit.
In addition, the sender's email platform creates a hash of the text fields included in the DKIM signature. The following text fields are included in the hash:
From: Nick R <[email protected]> Subject: Update
for example, will map to this hash string: 3303baf8986f910720abcfa607d81f53
As soon as the hash string is generated, it is encrypted with a private key, which can only be accessed by the sender.
After an email is sent, the email gateway or consumer mailbox provider validates the DKIM signature by finding the public key that matches the private key, and decrypts the signature back to its original form.
The receiver then compares the newly decrypted hash string to its own hash of the fields in the DKIM signature. If they match, we know two things: One, the DKIM signature fields were not altered in transit, and two, the email signer truly owns the email.