TXT
TXT Record — DKIM
DKIM public keys are published as TXT records at selector._domainkey.example.com. Learn the format, key rotation, and how to verify your DKIM setup.
Record Type
TXT
Category
Authentication (TXT)
Authentication (TXT)
RFC
RFC 6376
RFC 6376
Email Relevant
Yes
Yes
Format
TXT "v=DKIM1; k=rsa; p=<base64-public-key>"
Example
TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA..."
TTL Guidance
3600–86400 s; shorten to 300 s before rotating keys
3600–86400 s; shorten to 300 s before rotating keys
💬 What This Record Does
DomainKeys Identified Mail (DKIM) uses public-key cryptography. Your mail server signs outgoing messages with a private key, and the public key is published in DNS as a TXT record at a selector subdomain (e.g., google._domainkey.example.com). Receiving servers retrieve this public key, verify the signature in the email's DKIM-Signature header, and confirm the message wasn't tampered with in transit. Unlike SPF, DKIM survives email forwarding.
Common Uses
- Publishing a DKIM key for your own mail server's selector
- Verifying that your ESP (Google, Mailchimp, SendGrid) has set up DKIM for your domain
- Key rotation — setting a new selector's TXT record before switching signing to the new key
⚠️ Watch Out For
- The selector subdomain format is always: <selector>._domainkey.<yourdomain>
- RSA keys must be at least 1024 bits; 2048 bits is strongly recommended for new setups.
- An empty public key (p=) signals that the selector is revoked — all messages signed with it will fail.