Which DNS feature adds a cryptographic signature to email headers to verify message integrity during transmission?

DomainKeys Identified Mail (DKIM) is a key authentication protocol that adds a cryptographic signature to the headers of an email. This signature helps verify the integrity of a message during transmission, ensuring that the message has not been altered while in transit. By signing the email with a private key, the sender allows the recipient’s mail server to verify the authenticity of the message using a public key published in the Domain Name System (DNS). This process enhances email security by confirming that the email is indeed from the claimed sender and that it has not been tampered with.

In contrast, Sender Policy Framework (SPF) is used to specify which mail servers are allowed to send emails on behalf of a domain; it does not provide a mechanism for signing emails or verifying their integrity. Address Record (A Record) and Text Record (TXT) are types of DNS records used for mapping domain names to IP addresses or storing text information respectively, but they do not specifically address email authentication or provide cryptographic signatures. Therefore, DKIM is the feature specifically designed for adding that cryptographic layer to email headers.