What is DKIM signing at MTA level?

DKIM signing at the **MTA** adds cryptographic signatures to outbound messages. The **MTA** hashes message headers and body, encrypts with a private key, and adds the signature as a header. Receiving servers verify using the public key from **DNS**.

**MTA** configuration specifies: which domains to sign for, which private keys to use (selector-based), which headers to include in the signature, and canonicalization rules for handling message modifications.

Common issues: expired or missing **DNS** records, private key mismatches, signing configuration errors, and message modifications after signing breaking verification. **MTA**-level **DKIM** requires coordination between **DNS**, **MTA** configuration, and any intermediate systems handling messages.