DKIM
DKIM (DomainKeys Identified Mail) is the second pillar of email authentication, alongside SPF and DMARC. The sending mail server signs outgoing messages with a private key; the corresponding public key is published in DNS. Receivers verify the signature against the published key.
Where the key lives
DKIM keys are published as TXT records at <selector>._domainkey.example.com. Each mail provider has its own selector, so a domain can publish multiple DKIM keys for different senders (e.g., google._domainkey for Google Workspace, k1._domainkey for Mailchimp).
How to look it up
You need the selector. Most providers tell you what it is when you set up DKIM. To verify Google's DKIM for a domain that uses Google Workspace, look up the TXT record at google._domainkey.example.com. To check what selectors a domain uses without knowing in advance, you have to inspect a piece of mail you've received from them — the DKIM-Signature header in any mail tells you the s= selector.
Why DKIM is robust
Unlike SPF, DKIM survives mail forwarding. The signature is on the message body and headers, so as long as the forwarder doesn't modify those, the signature still validates. This is why DMARC requires DKIM or SPF to align — DKIM tends to be the one that holds up.
Related: SPF · DMARC · TXT lookup.