> It simply offers an assurance that, at around the time of sending, a given email was mostly likely sent from the server that signed it. It can't prove _anything_ about who actually sent it, because it can't guarantee the ownership of the email account.
Not on it's own, but it's a critical step in this chain:
1. DKIM verifies that a message was sent by Gmail.
2. We assume Gmail is careful with its keys.
3. We assume Gmail doesn't forge addresses.
4. Find evidence that links me to that address.
Most people will readily grant #2 and #3. Now we just need #4, which can be easy.
No, it's not cryptographically verified end-to-end, but it's good enough to convince a court or to convince a respectable news organization to run a story.
Not on it's own, but it's a critical step in this chain:
1. DKIM verifies that a message was sent by Gmail.
2. We assume Gmail is careful with its keys.
3. We assume Gmail doesn't forge addresses.
4. Find evidence that links me to that address.
Most people will readily grant #2 and #3. Now we just need #4, which can be easy.
No, it's not cryptographically verified end-to-end, but it's good enough to convince a court or to convince a respectable news organization to run a story.