The domain owner generates a pair of public and private keys. The public key is published in the DNS while the private key is used to sign each outgoing message. The content of the message and select header fields can be signed. The receiving email server looks up the public key, using it to validate the signature and the integrity of the message. The DKIM signature is added to the email's header and thus invisible when the message is normally displayed.
Since DKIM allows organizations to take responsibility of an email, it allows for reputation filtering. Senders in good standing can bypass spam filters using Vouch By Reference, for example, and DKIM can help identify phishing attempts.