DKIM Record Examples: Format, Syntax, and Templates

A DKIM record is a DNS TXT record containing your public key, as defined in RFC 6376. Here are examples of properly formatted DKIM records for different scenarios.

This guide is part of our Setup & Configuration resources. For a full walkthrough of configuring DKIM end-to-end, see the DKIM setup guide.

Basic DKIM Record Format

Every DKIM record follows this structure:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Complete DKIM Record Example

DNS Location (the selector identifies which key to use):

selector._domainkey.example.com

Record Type: TXT

Record Value:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zKbqKtvkWJpb9YgVjCCXHSBRfLQJxZyPBnomx8M5yqHk7Q9rP9z8NFMH9YkMcYxRAE8o9kDc+LNhxeZx5Rk6aTtcWvoIgGhLxnlxOYSrJjFJh8knRvGLqhfhbdP0mYgVaIa7GTv5JkW5vP3qXWmF...

Testing Mode Example

When first deploying DKIM, use testing mode:

v=DKIM1; k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

The t=y flag tells receiving servers this key is in testing mode. They may handle failures differently. Remove t=y once you've verified DKIM is working.

Strict Alignment Example

For stricter security, use the t=s flag:

v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

This requires the domain in the i= tag of the signature to exactly match the d= domain (no subdomains allowed).

Provider-Specific Examples

Google Workspace

Hostname: google._domainkey

Google manages the key value. The format looks like:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Microsoft 365

Microsoft uses CNAME records pointing to their infrastructure (learn more about TXT vs CNAME records):

Hostname: selector1._domainkey Type: CNAME Value: selector1-example-com._domainkey.example.onmicrosoft.com

Mailchimp

Hostname: k1._domainkey

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

SendGrid

Hostname: s1._domainkey

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD...

Key Size Differences

1024-bit Key Example (shorter)

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7ELVy3mY2J4DDuF8bSgftC5vbnKm6xRiCRQTGPeJVGNJ8Yfu6z7HdPwXt5+H7...

1024-bit keys produce ~216 character public key strings.

2048-bit Key Example (longer)

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zKbqKtvkWJpb9YgVjCCXHSBRfLQJxZyPBnomx8M5yqHk7Q9rP9z8NFMH9YkMcYxRAE8o9kDc+LNhxeZx5Rk6aTtcWvoIgGhLxnlxOYSrJjFJh8knRvGLqhfhbdP0mYgVaIa7GTv5JkW5vP3qXWmF...

2048-bit keys produce ~392 character public key strings.

DNS Provider Formatting

Different DNS providers have different requirements:

Cloudflare

• Name: selector._domainkey
• Type: TXT
• Content: v=DKIM1; k=rsa; p=...
• TTL: Auto

GoDaddy

• Host: selector._domainkey
• Type: TXT
• TXT Value: v=DKIM1; k=rsa; p=...
• TTL: 1 hour

Namecheap

• Host: selector._domainkey
• Record Type: TXT
• Value: v=DKIM1; k=rsa; p=...
• TTL: Automatic

Route 53 (AWS)

• Name: selector._domainkey.example.com
• Type: TXT
• Value: "v=DKIM1; k=rsa; p=..."
• TTL: 300

Long Record Handling

2048-bit keys may exceed the 255-byte DNS TXT string limit. If you run into this, see DKIM record too long for detailed solutions:

String concatenation:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zKbqKtvkWJpb9Y" "gVjCCXHSBRfLQJxZyPBnomx8M5yqHk7Q9rP9z8NFMH9YkMcYxRAE8o9kDc+LNhxeZx5Rk6aTtcWv..."

Most DNS providers concatenate multiple strings automatically per RFC 1035. Split at 255 characters if needed.

Revoked Key Example

To revoke a DKIM key, set an empty public key:

v=DKIM1; k=rsa; p=

This tells receiving servers the key has been revoked and signatures using this selector should fail.

References

• RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
• RFC 1035 — Domain Names — Implementation and Specification

---

Need a properly formatted DKIM record? Generate one instantly.