A while ago someone came to me, asked if I can add DKIM so his company is not identified as a spammer. In a way, yes but in another way is a no. Why do I say so?
DKIM is easy to advertise in the zone records nowadays. Many popular control panels have such ability to publish whether your DNS is hosted on the same server or just copy them into your DNS hosted elsewhere. Whichever the case, DKIM allows you to sign an outgoing email is to match with the public key you have advertised in the public DNS, to tell others it is sent by real me.
DKIM is one of the best methods to identify email is spoofed, impersonating a person in the organization. Here’s the catch, only the authorized mail server signed that email. If you are using another email server signed with different keys, it will cause a failure if DKIM of your recipient mail server is validating DKIM.
2 things, if your recipient mail server is not checking on DKIM or no action is taken. The real sender email account has been compromised. For these cases, how can DKIM protect your organization?