Validating a digital signature
Signing might be performed by any of the functional components, in that environment, including: Mail User Agent (MUA), or Mail Submission Agent (MSA), Internet Boundary MTA.
DKIM permits signing to be performed by authorized third-parties.
See also X.509 certificate chains for a description of these concepts in a widely used standard for digital certificates.
DKIM allows an organization to take responsibility for transmitting a message, in a way that can be verified by a recipient.
The chain of trust of a certificate chain is an ordered list of certificates, containing an end-user subscriber certificate and intermediate certificates (that represents the intermediate CA), that enables the receiver to verify that the sender and all intermediates certificates are trustworthy.
This process is best described in the page Intermediate certificate authority.
The owner of the domain name being used for a DKIM signature is declaring that they are accountable for the message. Receivers who successfully validate a signature can use information about the signer as part of a program to limit spam, spoofing, phishing, or other undesirable behavior, although the DKIM specification itself does not prescribe any specific actions by the recipient.
An interesting example of signature use is to detect email that purports to be from a user of the receiving site.
This use of multiple layers is an application of a general technique to improve scalability, and is analogous to the use of multiple certificates in a certificate chain.
The organization can be the author's, the originating sending site, an intermediary, or one of their agents.
Their reputation is the basis for evaluating whether to trust the message for delivery.
In computer security, a chain of trust is established by validating each component of hardware and software from the end entity up to the root certificate.
It is intended to ensure that only trusted software and hardware can be used while still retaining flexibility.