DKIM Record — Email Signing

Q: What is a TXT record in DNS?

## What Is a DKIM Record? DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows the sending server to digitally sign outgoing messages. The public key is published as a DNS TXT record so receiving servers can verify the signature. ### BIND Zone File Syntax dns ; DKIM public key record selector1._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKZyiGfjxBUMvYQHAYPEiv3mQ1V4f6T

Learn how to set up DKIM (DomainKeys Identified Mail) DNS TXT records for email signing. Understand selectors, key formats, and rotation strategies.

TXTSecurity

Zone File Entry

selector1._domainkey.example.com.    IN    TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Detailed Explanation

What Is a DKIM Record?

DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows the sending server to digitally sign outgoing messages. The public key is published as a DNS TXT record so receiving servers can verify the signature.

BIND Zone File Syntax

; DKIM public key record
selector1._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKZyiGfjxBUMvYQHAYPEiv3mQ1V4f6TLmCyEtymadJB2YMlGrq4S2Asb0fJoNaGnz+Y3zGcPD20JHFIF4km2bEk26fO7JKrXUYMPzGpMGJb8CJrIFNfMadj+RHHX/vd8G6F0OwIDAQAB"

; Google Workspace DKIM (CNAME alternative)
google._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."

Understanding the Record Format

A DKIM TXT record has these components:

v=DKIM1: Version identifier (required)
k=rsa: Key type — RSA is most common; Ed25519 (k=ed25519) is emerging
p=...: The Base64-encoded public key

The record is placed at a specific subdomain: selector._domainkey.yourdomain.com

What Is a Selector?

The selector is an arbitrary label chosen by the sender. It allows multiple DKIM keys to coexist for the same domain. Common selectors include:

google or selector1 for Google Workspace
selector1 and selector2 for Microsoft 365
s1, s2 for custom mail servers
em1234 for transactional email services like SendGrid

When a receiving server processes an email, it reads the DKIM-Signature header, extracts the selector (s=) and domain (d=), then queries DNS for selector._domainkey.domain.com to fetch the public key.

Key Generation and Rotation

DKIM keys should be rotated periodically (every 6-12 months) to limit the impact of a compromised key:

Generate a new key pair with a new selector name
Publish the new public key in DNS
Configure your mail server to sign with the new key
Keep the old DNS record active for 7-14 days (for in-flight messages)
Remove the old DNS record

Key Size Recommendations

RSA 2048-bit: The current standard. DNS TXT records have a 255-character string limit, so long keys must be split into multiple quoted strings within a single TXT record.
RSA 1024-bit: Considered minimum; adequate but being phased out.
Ed25519: Smaller and faster but not yet universally supported by all receivers.

Handling Long Keys

DNS TXT records are limited to 255 characters per string. A 2048-bit RSA key exceeds this, so it must be split:

selector._domainkey.example.com.    IN    TXT    ("v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
    "MIIBCgKCAQEA1234567890abcdef...")

Most DNS providers handle this splitting automatically when you paste the full value.

Use Case

Configure DKIM records to cryptographically sign outgoing emails, proving they originate from your domain and have not been tampered with in transit.

Try It — DNS Record Generator

Open full tool →