DNS Record Explainer

v=DKIM1
Version tag. Always set to DKIM1. Signals this is a DKIM public key record, not something else.

k=rsa
Key type. RSA is the standard (and currently only widely supported algorithm). Rarely changes. Some implementations accept "ed25519" but adoption is minimal; stick with rsa unless you have a specific reason.

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...
Public key material in base64. This is the actual RSA public key that receiving mail servers use to verify signatures on your outbound mail. The snippet shown is truncated—a real RSA-2048 key is ~370 characters base64, RSA-4096 is ~730. The full key must be intact with no line breaks in the DNS record (some DNS interfaces split it visually, but the actual value is one continuous string).

• Truncated input: You've shown only the prefix. Verify the complete key is stored in DNS—receiving servers will reject verification if the key is cut off.
• No optional tags present: You're missing commonly recommended tags:
– t= (flags): Set t=y to restrict key usage to test mode, or omit for production. Recommended during rollout.
– s= (service type): Defaults to "email" if omitted, which is fine. Rarely needed.
– n= (notes): Optional documentation, not used by verifiers.
• Key length not specified in record, but matters operationally: RSA-2048 is minimum, RSA-4096 is better for long-term security (though adds ~2KB DNS query size). Verify which you're deploying.
• Check selector is correct: This record goes in DNS as `._domainkey..com`. If selector is wrong, signing will fail silently.

[ context ]

DKIM validates that mail claiming to be from your domain actually came from your servers—it prevents spoofing and improves deliverability. Without this record, receiving servers can't verify your DKIM-signed mail, signatures fail verification, and you lose sender reputation. It's critical for any domain sending mail at scale.

→ /tools/dkim-checker run the live checker on a real domain → /blog/dkim-key-not-found