DKIM (DomainKeys Identified Mail):

DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. It is an email security standard designed to make sure messages aren’t altered in transit between the sending and recipient servers.

It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit. Once the signature is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.

The DMARC protocol relies on SPF and DKIM to function.

SPF authenticates the sending server of an email based on the sending IPv4 or IPv6 address. Therefore, when that email gets auto-forwarded, the IP address changes, causing SPF to fail. This is one of the limitations of SPF, hence you should not rely simply on SPF but also configure DKIM.

DKIM, on the other hand, authenticates the email based on the sending domain, as well as the email content, using a digital signature. Since the verification of this Public/Private key pair is performed via lookups of the sending domain’s DNS records, it can be performed at any point along the forwarding, and therefore will survive forwarding.