Domainkeys is a public/private key authentication technique that is used to verify a received email has been sent by a legitimate user. The way this happens is that a public/private key pair is generated for a domain. That private key is then installed into all of the MTA’s that a domain sends mail out from, along with a TXT DNS record that gives the public key. When mail is received by a remote MTA that is Domainkeys enabled, the remote server will verify that the key that was provided matches (through a one-time hash) the public key. This enables the remote mailserver to verify that the message is sent by an authorized MTA. This is useful to stop “joe job” attacks, in which spam is sent out with a bogus “From:” address. If the keys don’t match, the remote MTA can either reject the message, use it as a scoring weight for anti-spam measures, or accept it.

Nearly all of the major MTA’s now support this, however generally you will have to compile in Domainkeys support as this does not come turned on by default.

Since Yahoo and (to a lesser extent) AOL developed this method, more information can be found http://antispam.yahoo.com/domainkeys.