What does a DKIM record look like?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A DKIM record is a DNS TXT record published at a specific subdomain. It holds the public key that receivers use to verify your email's cryptographic signature. Here's what a real one looks like:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7...
Broken down tag by tag:
v=DKIM1: version. Always DKIM1. No other version exists in production use.k=rsa: key type. RSA is the standard. Ed25519 is newer and shorter but not universally supported yet, so RSA is the safe choice.p=...: the public key itself, base64-encoded. This is the long string that makes up most of the record. Your ESP gives you this value and you publish it exactly as they provide it. Don't modify it.
Where it lives in DNS
The record isn't at your root domain. It goes at a subdomain that combines your selector name and _domainkey:
selector._domainkey.yourdomain.com
So if you're using selector "s1" on the domain harborpost.net, the full DNS location would be:
s1._domainkey.harborpost.net
You can verify the record is publishing correctly with our DKIM checker.
What broken looks like
If the record doesn't exist at all, receivers get a DNS lookup failure and DKIM returns "none." If the key in DNS doesn't match the private key your ESP is signing with (common after a key rotation goes wrong), DKIM returns "fail." Both cases break DMARC alignment if DKIM is one of your alignment paths.
If you're troubleshooting a DKIM failure and need to see which selector the receiver actually tried to look up, paste the email header into the header analyzer. It'll name the selector directly from the signature. The SOS hotline is free if you're stuck.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.