> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lettr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# DKIM Records

> Configure DKIM so Lettr cryptographically signs your emails, letting receiving servers verify they came from your domain unaltered

DKIM is an email authentication method that allows the recipient to verify that an email was indeed sent and authorized by the owner of that domain. It works by adding a digital signature to the email header that can be verified using a public key published in your DNS.

## How DKIM Works

<Steps>
  <Step title="Email is signed">
    When you send an email through Lettr, it signs the message content and selected headers using a private key. The resulting cryptographic signature is added to the email as a `DKIM-Signature` header.
  </Step>

  <Step title="Public key is published in DNS">
    You publish the corresponding public key as a DNS TXT record on your domain (e.g., `scph0722._domainkey.yourdomain.com`). This allows any receiving server to look up the key.
  </Step>

  <Step title="Recipient server verifies the signature">
    The recipient's mail server extracts the `DKIM-Signature` header, queries your domain's DNS for the public key, and uses it to verify the signature.
  </Step>

  <Step title="Authenticity confirmed">
    If verification passes, the email is confirmed as authentic and unmodified in transit. A failed verification signals the message may have been tampered with or is not from your domain.
  </Step>
</Steps>

## DKIM Record Explained

A DKIM public key record contains:

```
v=DKIM1;           # DKIM version
k=rsa;             # Key type (RSA)
p=MIGfMA0GCS...    # Public key (base64 encoded)
```

| Field | Description                                  |
| ----- | -------------------------------------------- |
| `v`   | DKIM version (always DKIM1)                  |
| `k`   | Key type (rsa or ed25519)                    |
| `p`   | Public key in base64 format                  |
| `t`   | Optional flags (e.g., `t=s` for strict mode) |

## DKIM Signature Header

When Lettr sends an email, it adds a DKIM-Signature header:

```
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=scph0722;
  h=from:to:subject:date;
  bh=abc123...;
  b=xyz789...
```

| Field | Description                            |
| ----- | -------------------------------------- |
| `v`   | Signature version                      |
| `a`   | Signing algorithm                      |
| `c`   | Canonicalization method                |
| `d`   | Signing domain                         |
| `s`   | Selector (identifies which key to use) |
| `h`   | Headers included in signature          |
| `bh`  | Body hash                              |
| `b`   | Signature                              |

## DKIM Alignment for DMARC

For DMARC to pass based on DKIM, the domain in the `d=` tag of the DKIM signature must align with the `From:` header domain.

Lettr automatically signs emails with your domain, ensuring DKIM alignment:

```javascript theme={null}
// Email sent from: hello@example.com
// DKIM signature d= tag: example.com
// Result: Aligned ✓
```

## Troubleshooting

If DKIM verification fails, check the most common causes:

| Issue                           | Cause                                      | Solution                                                                                                                        |
| ------------------------------- | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- |
| DKIM not verifying              | CNAME record hostname is incorrect         | Ensure the record uses the exact selector provided by Lettr (e.g., `scph0722._domainkey`), not a generic `_domainkey`           |
| CNAME not resolving             | Typo in the CNAME target value             | Verify the value matches exactly what Lettr provided; DNS changes can take up to 48 hours to propagate                          |
| Signature invalid               | Email content was modified in transit      | Mailing list software, forwarding services, or anti-virus tools can alter message content after signing, breaking the signature |
| DMARC failing despite DKIM pass | DKIM domain doesn't align with From header | The domain in the DKIM `d=` tag must match (or be a subdomain of) the domain in the `From:` header for DMARC alignment          |

## Testing DKIM

The simplest way to verify your DKIM configuration is to send a test email to a personal account and inspect the email headers. The `Authentication-Results` header will show whether the DKIM signature was verified successfully:

1. Send an email to your personal account (Gmail works well for header inspection)
2. View the email headers/source (in Gmail: More → Show original)
3. Look for `DKIM-Signature:` in the headers to confirm the signature was added
4. Check for `dkim=pass` in the `Authentication-Results` header to confirm verification

Example passing result:

```
Authentication-Results: mx.google.com;
  dkim=pass header.d=example.com header.s=scph0722;
  spf=pass smtp.mailfrom=example.com
```

## Next Steps

<CardGroup cols={2}>
  <Card title="DMARC" icon="shield" href="/learn/domains/dmarc">
    Configure DMARC to tie SPF and DKIM together
  </Card>

  <Card title="BIMI" icon="image" href="/learn/domains/bimi">
    Display your brand logo in email clients
  </Card>
</CardGroup>
