What it is
DKIM attaches a cryptographic signature to the messages your domain sends, and publishes the matching public key in DNS. Receiving servers use that key to confirm the message genuinely came from your domain and was not altered in transit.
Why it matters
DKIM proves authenticity and integrity in a way that survives forwarding, which SPF alone does not. Together with SPF, it is what allows a DMARC policy to pass and protect your domain from being impersonated. A missing or broken DKIM key undermines the whole chain and hurts deliverability of your legitimate mail.
How WebGuard checks it
DKIM keys live at a provider-specific selector, and selectors cannot be listed from DNS, so WebGuard probes the selectors used by the common mail providers (Google Workspace, Microsoft 365, and major sending platforms) with read-only DNS lookups. If none are found it flags this as a low-severity item and notes that a custom selector may not be visible to an external check. It inspects DNS only, and no email is read, sent, or signed.