How to turn it on
Set g_dkim_sign "true"
On the web admin interface search for "Create DKIM" then click on the Configure link.
Add the DNS setting it suggests for your domains(s).
Also add the suggested DMARC settings, (this requires a recent version of surgemail)
See https://surgemail.com/knowledge-base/sending-email-to-avoid-spam-filters-best-practices/
How it works:
DomainKeys is a cryptographic method that allows a receiving server/client to verify that the From/Sender header was accurate and not forged.
It does this by looking up the senders _domainkey.domain.name dns record to get the public key which it uses to check the signature in the message headers is correct.
SurgeMail makes use of this information to avoid grey bouncing a message when no SPF information exists. And may in future score signed messages differently.
SurgeMail can also 'sign' outgoing email, this helps your email get delivered to servers that use this information to further verify a message. And this makes it harder for spammers to forge your domain successfully.
There is a button in surgemail to generate your private/public keys. This creates the file domainkey.pem, if you have several servers sending email for your domain you will need to copy this file to each server.
As well as entering your public key into your dns you will define your policy in the txt dns record default._domainkey.your.domain and _domainkey.your.domain, this policy defines if you are testing or not, and if you sign all or some of the messages from your domain. A receiving system 'should' use this information to determine what action is valid if a signature does not exist or fails to verify.