LettermintLettermint
LoginStart for free
Back Back to 'Definitions'
Definitions

What is DKIM?

Last updated:

Together with SPF and DMARC, DKIM ensures complete email security. We've already explained what DMARC and SPF are. Now it's time for the third component: DKIM. This technology prevents your emails from being altered during transmission. At Lettermint, we use DKIM to send transactional emails securely. In this article, we'll explain what DKIM is and how it works.

What is DKIM

DKIM stands for DomainKeys Identified Mail. It's a security method developed in 2007 by Yahoo! and Cisco. DKIM adds a digital signature to every email you send. This signature guarantees two important things:

  1. The email truly comes from your domain
  2. The content hasn't changed during transmission (no malicious links or malware added)

Think of it as a sealed envelope. If someone opened the envelope, the recipient knows it's been tampered with. With DKIM, this works digitally: the receiving mail server checks the signature. Does it match? Then the email is authentic and unchanged.

DKIM works together with SPF and DMARC. SPF checks which servers are allowed to send your emails. DMARC determines what happens to fake mail. DKIM verifies that your email content hasn't been altered en route.

How DKIM works

DKIM uses cryptography (fancy word for encryption) to secure emails. The process works with two keys: a private key and a public key.

When you send an email with Lettermint, the following happens:

  1. Lettermint creates a digital signature with a secret key
  2. This signature is added to the email header
  3. The receiving mail server retrieves the key from your DNS
  4. Using this key, the server checks if the signature matches
  5. If everything matches, the email is approved

This entire process happens behind the scenes in milliseconds. You won't notice it as a user. At Lettermint, we not only ensure this security, but also lightning-fast delivery as you can see in our Time to Inbox statistics.

Loading

Loading

Loading

Loading

The technology behind DKIM

A DKIM signature consists of various components that together enable authentication. In your email header, you'll see something like this:

      DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=default; h=from:to:subject:date;
bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb...

DKIM fields explained

The most important fields in a DKIM signature:

FieldNameDescriptionExample
vVersionDKIM version (always 1)v=1
aAlgorithmCryptographic method useda=rsa-sha256
cCanonicalizationHow headers and body are preparedc=relaxed/relaxed
dDomainThe domain signing the emaild=example.com
sSelectorReference to the correct public keys=default
hHeadersWhich headers are included in signatureh=from:to:subject
bhBody HashHash of email contentbh=2jUSO...
bSignatureThe actual digital signatureb=dzdVy...

DKIM canonicalization

Canonicalization (see c in table above) determines how strictly DKIM handles small changes in emails. There are two options:

  • Simple: Any change invalidates the signature
  • Relaxed: Allows small changes like extra spaces

Most services use relaxed/relaxed because mail servers sometimes make small adjustments to emails during transmission. Think of extra spaces, tabs being replaced, or line endings formatted differently. Without this flexibility, many emails would be incorrectly rejected.

Setting up DKIM

You place a DKIM record as a TXT record in your DNS. The location is different than for SPF or DMARC. You use the pattern: [selector]._domainkey.[domain]. At Lettermint, we use the selector lettermint.

      v=DKIM1; k=rsa; p=MIGfMAQ...

Cloudflare DKIM record

DKIM with Lettermint

At Lettermint, we handle DKIM for you. When you add a domain, we automatically generate the necessary keys. You just need to add the DNS record we provide to your DNS.

Why DKIM is important for deliverability

DKIM is one of three authentication methods that mail servers check. Together with SPF and DMARC, it determines whether your emails land in the inbox or spam folder.

Major mail providers like Gmail, Outlook, and Yahoo give emails with valid DKIM signatures a higher reputation score. This means:

  • Your emails land in the inbox more often
  • Less chance of spam filtering
  • Higher trust score with recipients
  • Protection against phishing with your domain

All these benefits together ensure your emails reliably arrive where they belong: in your customers' inbox.

DKIM Check

Test below whether your domain has a valid DKIM configuration. Enter your domain and selector to retrieve and validate the public key.

Not sure what to enter? Use lettermint for selector, lettermint.co for domain.

DKIM Checker

Conclusion

DKIM is important for email security. It adds a digital signature to your messages. This lets mail servers know your email is genuine and hasn't been altered en route. Together with SPF and DMARC, it protects your domain against abuse.

With Lettermint, we make DKIM configuration simple. We automatically generate the right keys and tell you exactly which DNS record to add. This ensures your emails arrive safely and reliably.

A properly configured DKIM provides:

  • Emails that can't be forged
  • Better deliverability and inbox placement
  • Protection of your domain reputation
  • Trust with recipients
Need more help?

Can't find what you're looking for?

If you couldn't find the information you were looking for, please don't hesitate to reach out to us. Our team is here to assist you with any questions you may have.

Contact us
Ask on Discord