How does DKIM work?

In DKIM authentication:

• The sender computes a hash value of their message and appends it to their outgoing email.
• 
  When the email is received by the recipient’s mail server, they use their private key to decrypt the hash value and compare it to a public key stored in their DNS records (your DKIM record). If they match, then this verifies that the user received the original message and hasn’t altered it in any way since sending it out.

Given below is a diagram to illustrate the process: 

DomainKeys Identified Mail (DKIM) is an email authentication protocol that has two main components

Digital Signature (Private Key): DKIM gives every email from your domain a digital signature that’s encrypted and private.

Public Encryption Key: Receiving email servers can decrypt the private signature using a public key published in your DNS.

The signature tells the receiving server that your email is legitimate and hasn’t been altered while in transit. If an attacker either intercepts and alters the email, or sends a fake email from your domain, the digital signature will fail to decrypt. The email automatically fails DKIM authentication.