What is DKIM signing at MTA level?

DKIM signing at the MTA adds cryptographic signatures to outbound messages. The MTA hashes message headers and body, encrypts with a private key, and adds the signature as a header. Receiving servers verify using the public key from DNS.

MTA configuration specifies: which domains to sign for, which private keys to use (selector-based), which headers to include in the signature, and canonicalization rules for handling message modifications.

Common issues: expired or missing DNS records, private key mismatches, signing configuration errors, and message modifications after signing breaking verification. MTA-level DKIM requires coordination between DNS, MTA configuration, and any intermediate systems handling messages.