Skip to main content
DKIM is an email authentication method that allows the recipient to verify that an email was indeed sent and authorized by the owner of that domain. It works by adding a digital signature to the email header that can be verified using a public key published in your DNS.

How DKIM Works

1

Email is signed

When you send an email through Lettr, it signs the message content and selected headers using a private key. The resulting cryptographic signature is added to the email as a DKIM-Signature header.
2

Public key is published in DNS

You publish the corresponding public key as a DNS TXT record on your domain (e.g., scph0722._domainkey.yourdomain.com). This allows any receiving server to look up the key.
3

Recipient server verifies the signature

The recipient’s mail server extracts the DKIM-Signature header, queries your domain’s DNS for the public key, and uses it to verify the signature.
4

Authenticity confirmed

If verification passes, the email is confirmed as authentic and unmodified in transit. A failed verification signals the message may have been tampered with or is not from your domain.

DKIM Record Explained

A DKIM public key record contains:

DKIM Signature Header

When Lettr sends an email, it adds a DKIM-Signature header:

DKIM Alignment for DMARC

For DMARC to pass based on DKIM, the domain in the d= tag of the DKIM signature must align with the From: header domain. Lettr automatically signs emails with your domain, ensuring DKIM alignment:

Troubleshooting

If DKIM verification fails, check the most common causes:

Testing DKIM

The simplest way to verify your DKIM configuration is to send a test email to a personal account and inspect the email headers. The Authentication-Results header will show whether the DKIM signature was verified successfully:
  1. Send an email to your personal account (Gmail works well for header inspection)
  2. View the email headers/source (in Gmail: More → Show original)
  3. Look for DKIM-Signature: in the headers to confirm the signature was added
  4. Check for dkim=pass in the Authentication-Results header to confirm verification
Example passing result:

Next Steps

DMARC

Configure DMARC to tie SPF and DKIM together

BIMI

Display your brand logo in email clients