The interesting technology these days is not DKIM but rather DMARC. DKIM allows you to sign messages so that others know that the message originated from the owner of the domain. DMARC allows you to express what you want receivers to do when someone is spoofing your domain.
If you operate your own domain and you are worried about spoofing, implementing DMARC will put a stop to it with all the major email receivers (Gmail, Yahoo!, Microsoft, etc.), since they all respect DMARC.
But the really cool thing about DMARC is that it lets you receive feedback reports from email receivers with copies of these spoofed messages along with aggregate statistics showing you where spoofed email is originating.
Agreed. Two remarks though: mailing lists often mangle messages thus breaking signatures (bad mailing lists!) and not all providers send forensic reports (e.g. Gmail doesn't send spoofed messages). I my case most spoofed messages were... my own emails mangled by mailing lists.
It's pretty verbose and lengthy, but I recently read the NIST "Trustworthy Email" publication and it did a great job explaining these technologies - Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain Message Authentication, Reporting, and Conformance (DMARC) - that are used for modern email authentication.
Yes I am using sendgrid or some other provider, they do all stuff for you. I like to have control over everything but when you have to send stuff from multuple domains and you have to ask other companies to add SPF and DKIM to their dns and deal with all bs with explaining how it works to other people just pay sendgrid.
If it is for your own domain and you don't have customers for which you send emails on their domains, it is quite easy to set up on your own.
Checkout https://dmarcian.com/. You configure them as the recipient of your xml dmarc reports and they build a nice dashboard with the data. It's free for small stuff.
If you want to use DMARC, you should use an aggregation tool such as ours to process the reports. You typically start with the DMARC policy in 'none' mode, which only enables reporting. Using the reports you verify that all legitimate senders are correctly signing email with DKIM (and preferably are also SPF aligned) before you switch to a 'quarantine' or 'reject' DMARC policy.
If you operate your own domain and you are worried about spoofing, implementing DMARC will put a stop to it with all the major email receivers (Gmail, Yahoo!, Microsoft, etc.), since they all respect DMARC.
But the really cool thing about DMARC is that it lets you receive feedback reports from email receivers with copies of these spoofed messages along with aggregate statistics showing you where spoofed email is originating.