DKIM (DomainKeys Identified Mail, RFC 6376) lets a sender attach a cryptographic signature to outbound mail. The signature is computed over selected headers and the body, then placed in a DKIM-Signature: header. Receivers fetch the corresponding public key from DNS at <selector>._domainkey.<domain> and verify the signature.
The selector is sender-chosen and rotated when keys are rotated. Common selectors include default (generic), google (Google Workspace), selector1/selector2 (Microsoft 365), k1 (Mailchimp / Mandrill), pm (Postmark), and mxvault (MXroute). Detecting DKIM "presence" without knowing the selector means probing a list of common ones; a negative result doesn't prove DKIM is missing -- it might just be a non-standard selector.
DKIM proves the message wasn't modified in transit AND that the signing domain authorized the signature. Combined with DMARC alignment (the signing domain matches the visible From: domain), it defeats most spoofing attempts that SPF alone can't catch.
Operational notes: the DKIM key TTL in DNS bounds your key-rotation cadence; keys shorter than 1024 bits are deprecated; signing only critical headers (Subject, From, Date, To, Message-ID) is fine -- signing all headers risks signature breakage when intermediaries rewrite them.