How DKIM Works
1
Email is signed
When you send an email through Lettr, it signs the message content and selected headers using a private key. The resulting cryptographic signature is added to the email as a
DKIM-Signature header.2
Public key is published in DNS
You publish the corresponding public key as a DNS TXT record on your domain (e.g.,
scph0722._domainkey.yourdomain.com). This allows any receiving server to look up the key.3
Recipient server verifies the signature
The recipient’s mail server extracts the
DKIM-Signature header, queries your domain’s DNS for the public key, and uses it to verify the signature.4
Authenticity confirmed
If verification passes, the email is confirmed as authentic and unmodified in transit. A failed verification signals the message may have been tampered with or is not from your domain.
DKIM Record Explained
A DKIM public key record contains:DKIM Signature Header
When Lettr sends an email, it adds a DKIM-Signature header:DKIM Alignment for DMARC
For DMARC to pass based on DKIM, the domain in thed= tag of the DKIM signature must align with the From: header domain.
Lettr automatically signs emails with your domain, ensuring DKIM alignment:
Troubleshooting
If DKIM verification fails, check the most common causes:Testing DKIM
The simplest way to verify your DKIM configuration is to send a test email to a personal account and inspect the email headers. TheAuthentication-Results header will show whether the DKIM signature was verified successfully:
- Send an email to your personal account (Gmail works well for header inspection)
- View the email headers/source (in Gmail: More → Show original)
- Look for
DKIM-Signature:in the headers to confirm the signature was added - Check for
dkim=passin theAuthentication-Resultsheader to confirm verification
Next Steps
DMARC
Configure DMARC to tie SPF and DKIM together
BIMI
Display your brand logo in email clients