I've configured DKIM (milter-dkim) on my mail server. Incoming e-mail sent from my domain now containts the following header:
X-DKIM: Sendmail DKIM Filter v2.8.3 MYDOMAIN.com o7FLH1Wa032083
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.com; s=mail;
t=1281907022; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:
Content-Transfer-Encoding;
b=qetPkilXBdjnuqiKIyvAwsvTvJfAnq5urdgp/i7p/uLJ8DB+svy9A8C6CPmcfELsJ
hDid5k2AN5JD+wM2INmUIgjeAa/IwpGTbuMloj0Wioh4njqIfbATJqOhuqxTjic
1.) So I guess that confirms that I have DKIM setup correctly, right?
But when I look at a message coming in from Google, I see:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
...snip...
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
...snip...
2.) What is the relationship of DomainKey-Signature vs DKIM-Signature?
They are two separate things. DomainKeys is older, created by Yahoo!. DKIM is DomainKeys + Identified Internet Mail (another scheme to verify emails created by Cisco).
The headers are compatible, apparently, but some newer systems don't check DKIM, so you have to generate both to make everyone happy.
DKIM is a newer version of the DomainKeys protocol. If you sign your mail via DKIM, you should not need to implement DomainKeys.
To answer your first question, it means that your outgoing mail is being signed, but you must have the corresponding DNS records in order for receiving mail servers to validate it.
When it's all setup, if you check your headers for a message that's come in, your mail server should provide some indication of it's success. If you have a Google account, it will display the results under the 'Authentication-Results' header. If it's setup correctly, you should see the following:
Remember to setup SPF records too, they are more widely checked than DKIM/DomainKeys.
Question 2, DKIM is the newer implementation. If you have the ability to use DKIM, use it over DomainKeys.