DNS Record Explainer

v=DKIM1 — version tag. Always "DKIM1" for current DKIM. Mandatory; tells receivers this is a DKIM public key record.

k=rsa — key type. RSA is the standard (only widely supported option in practice). Specifies the cryptographic algorithm used for the signature.

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ... — the actual public key in base64 format. This is what mail servers use to verify signatures on outbound messages. Incomplete in your input (truncated after "iQ"), so the full key wasn't pasted. A complete RSA-2048 key is typically ~400 characters; RSA-4096 ~700+.

• Truncated input — you've only shown the start of the key. Can't validate the full record without the complete base64 string. Missing closing characters means this record won't work.
• Missing selector — DKIM records live at `_domainkey..` in DNS (e.g., `default._domainkey.example.com`). You've shown only the TXT record value, not the full DNS name. Confirm your selector matches what's configured in your mail server.
• No optional tags visible — you could add `t=y` (testing mode, non-enforcement) or `n=` (notes), but they're not present. This is fine; defaults are safe.

[ context ]

DKIM records enable cryptographic signing of outbound email. Without this, mail you send won't have a verifiable signature, making it more likely to land in spam folders or be rejected by strict receivers (especially Gmail, Microsoft 365). The record must be published at the exact selector your mail server uses, and the public key must match the private key doing the signing. If the key mismatches or DNS lookup fails, signatures fail validation and mail gets deprioritized.

**Next step:** Paste the complete p= value (all base64 characters to the end) so it can be validated. Confirm the selector and domain path too.

→ /tools/dkim-checker run the live checker on a real domain → /blog/dkim-key-not-found