DKIM (DomainKeys Identified Mail)
A cryptographic signature added to every outbound email, verifiable against a public key in your DNS.
DKIM signs the body and key headers of every message with a private key held by your sending platform. The corresponding public key lives in DNS at <selector>._domainkey.<your-domain>. Receiving servers fetch the key, verify the signature, and reject (or score down) anything that fails.
BoomSauce uses dual selectors (s1 and s2) per SendGrid spec. This means a key rotation doesn't take you offline — one selector keeps signing while the other rotates. If you only see `default._domainkey` checks in monitoring tools, they're looking at the wrong selector.
DKIM is what authenticates the actual content of the message; SPF only authenticates the connection. Together they're the foundation of inbox placement.