Skip to main content
DKIM is an email authentication method that allows the recipient to verify that an email was indeed sent and authorized by the owner of that domain. It works by adding a digital signature to the email header that can be verified using a public key published in your DNS.

How DKIM Works

1

Email is signed

When you send an email through Lettr, it signs the message content and selected headers using a private key. The resulting cryptographic signature is added to the email as a DKIM-Signature header.
2

Public key is published in DNS

You publish the corresponding public key as a DNS TXT record on your domain (e.g., scph0722._domainkey.yourdomain.com). This allows any receiving server to look up the key.
3

Recipient server verifies the signature

The recipient’s mail server extracts the DKIM-Signature header, queries your domain’s DNS for the public key, and uses it to verify the signature.
4

Authenticity confirmed

If verification passes, the email is confirmed as authentic and unmodified in transit. A failed verification signals the message may have been tampered with or is not from your domain.

DKIM Record Explained

A DKIM public key record contains: 
v=DKIM1;           # DKIM version
k=rsa;             # Key type (RSA)
p=MIGfMA0GCS...    # Public key (base64 encoded)
FieldDescription
vDKIM version (always DKIM1)
kKey type (rsa or ed25519)
pPublic key in base64 format
tOptional flags (e.g., t=s for strict mode)

DKIM Signature Header

When Lettr sends an email, it adds a DKIM-Signature header: 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=scph0722;
  h=from:to:subject:date;
  bh=abc123...;
  b=xyz789...
FieldDescription
vSignature version
aSigning algorithm
cCanonicalization method
dSigning domain
sSelector (identifies which key to use)
hHeaders included in signature
bhBody hash
bSignature

DKIM Alignment for DMARC

For DMARC to pass based on DKIM, the domain in the d= tag of the DKIM signature must align with the From: header domain. Lettr automatically signs emails with your domain, ensuring DKIM alignment: 
// Email sent from: hello@example.com
// DKIM signature d= tag: example.com
// Result: Aligned ✓

Troubleshooting

If DKIM verification fails, check the most common causes:
IssueCauseSolution
DKIM not verifyingCNAME record hostname is incorrectEnsure the record uses the exact selector provided by Lettr (e.g., scph0722._domainkey), not a generic _domainkey
CNAME not resolvingTypo in the CNAME target valueVerify the value matches exactly what Lettr provided; DNS changes can take up to 48 hours to propagate
Signature invalidEmail content was modified in transitMailing list software, forwarding services, or anti-virus tools can alter message content after signing, breaking the signature
DMARC failing despite DKIM passDKIM domain doesn’t align with From headerThe domain in the DKIM d= tag must match (or be a subdomain of) the domain in the From: header for DMARC alignment

Testing DKIM

The simplest way to verify your DKIM configuration is to send a test email to a personal account and inspect the email headers. The Authentication-Results header will show whether the DKIM signature was verified successfully:
  1. Send an email to your personal account (Gmail works well for header inspection)
  2. View the email headers/source (in Gmail: More → Show original)
  3. Look for DKIM-Signature: in the headers to confirm the signature was added
  4. Check for dkim=pass in the Authentication-Results header to confirm verification
Example passing result: 
Authentication-Results: mx.google.com;
  dkim=pass header.d=example.com header.s=scph0722;
  spf=pass smtp.mailfrom=example.com

Next Steps

DMARC

Configure DMARC to tie SPF and DKIM together

BIMI

Display your brand logo in email clients