DKIM Record Too Long: How to Fix DNS Length Limits
Fix DKIM records that exceed DNS TXT record length limits. Learn about the 255-character string limit, record splitting, and alternatives for long DKIM keys.
Last updated: 2026-05-31
You generated a DKIM key, pasted it into your DNS provider, and got an error. The record is too long. This is one of the most common issues with DKIM setup, and it has straightforward fixes.
Browse all Troubleshooting guides.
Why DKIM Records Get So Long
DKIM records contain a public key encoded in base64. The length of that key depends on the key size you chose when generating it.
A 1024-bit key produces a public key string of roughly 216 characters. When you add the required DKIM tags (v=DKIM1; k=rsa; p=...), the full record value comes to around 240 characters. That fits comfortably within DNS limits.
A 2048-bit key, which is the recommended standard today, produces a public key string of roughly 392 characters. With the DKIM tags included, the full record value is around 420 characters. That exceeds the DNS string limit.
Why 2048-bit is recommended
Security experts recommend 2048-bit keys because 1024-bit keys are considered vulnerable to future attacks. Most email providers now require or strongly recommend 2048-bit keys.
The DNS 255-Byte String Limit
DNS TXT records have a technical constraint: each individual string within a TXT record can be at most 255 bytes long. This limit comes from the original DNS specification (RFC 1035), which uses a single byte to store the length of each string.
Your 2048-bit DKIM record is around 420 characters. Since that exceeds 255 bytes, it cannot be stored as a single string. This is where the "record too long" errors come from.
The good news is that DNS does support longer TXT records. The total record can be up to 65,535 bytes. The trick is that the value needs to be split into multiple strings of 255 characters or fewer, and the receiving system concatenates them back together.
How TXT Record String Concatenation Works
DNS allows a TXT record to contain multiple strings. When a mail server looks up your DKIM record, it reads all the strings and joins them together in order. The result is the complete DKIM record value, as if it were stored as one piece.
In raw DNS format, a split record looks like this:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zKbqKtvkWJpb9YgVjCCXHSBRfLQJxZyPBnomx8M5yqHk7Q9rP9z8NFMH9YkMcYxRAE8o9kDc+LNhxeZx5Rk6aTtcWvoIgGhLxnlxOYSrJjFJh8knRvGLqhfhbdP0mYgVaIa7GT" "v5JkW5vP3qXWmFBQD7kzE6RhG8o3d5LmVpAkt+EdfLXQqz8kP7sM5GHXaQUpJ6FdR5+8aBTMNE8MQUIDAQAB"
Each quoted section is its own string, each under 255 characters. The mail server reads them in order and treats the whole thing as a single value.
How DNS Providers Handle Long Records
This is where things get tricky. Different DNS providers handle splitting differently.
| Provider | Behavior | Action Needed |
|---|---|---|
| Cloudflare | Auto-splits long records | Paste full value as-is |
| Google Cloud DNS | Auto-splits long records | Paste full value as-is |
| GoDaddy | Auto-splits in most cases | Paste full value; verify after saving |
| Namecheap | May truncate silently | Split manually with quotes if issues arise |
| Route 53 (AWS) | Requires manual splitting | Wrap each chunk in quotes |
| cPanel-based hosts | Varies by version | Test after saving; split if needed |
Silent truncation
Some providers accept a long record without showing an error but quietly cut it off at 255 characters. This results in a broken DKIM key. Always verify your record after saving it.
How to Split Your DKIM Record Manually
If your DNS provider does not auto-split, you need to break the record into quoted strings yourself.
Copy your full DKIM record value
Start with the complete value, for example: v=DKIM1; k=rsa; p=MIIBIjANBgkq... (the full string).
Split at or before 255 characters
Break the value into chunks of 255 characters or fewer. You can split at any point, even in the middle of the base64 key. The split point does not matter as long as each piece is under the limit.
Wrap each chunk in double quotes
Each piece gets its own set of double quotes. Place the chunks one after another with a space between them.
Enter the split value into your DNS provider
Paste the entire quoted value into the TXT record field. Some providers have a single text box; others let you add multiple strings separately.
Verify the record
Use an online DNS lookup tool or run dig TXT selector._domainkey.yourdomain.com to confirm the full record is returned correctly.
Generate correctly formatted DKIM keys
DKIM Creator outputs your record in the right format for your DNS provider.
Use CNAME Records as an Alternative
Some email providers solve the length problem entirely by using CNAME records instead of TXT records. With this approach, your DNS record is a short CNAME that points to the provider's own DNS, where they host the full public key.
For example, Microsoft 365 uses CNAME records like this:
selector1._domainkey.example.com CNAME selector1-example-com._domainkey.example.onmicrosoft.com
The CNAME itself is short and fits easily within DNS limits. The actual long DKIM key lives on Microsoft's DNS servers.
If your email provider offers a CNAME option for DKIM, it is usually the simplest path. You avoid length issues entirely and the provider can rotate keys on their end without you touching your DNS again.
When to Use 1024-Bit Keys as a Fallback
If your DNS provider simply cannot handle a 2048-bit key, even with splitting, a 1024-bit key is a reasonable fallback. A 1024-bit DKIM key is still far better than no DKIM at all.
Consider using 1024-bit keys when:
- Your DNS provider has a hard limit that prevents long TXT records
- You are on a legacy hosting plan with restricted DNS management
- You need a quick fix while migrating to a provider that supports longer records
Plan to upgrade
If you fall back to a 1024-bit key, plan to switch to 2048-bit when you can. Move to a DNS provider that supports long records or use CNAME-based DKIM through your email provider.
Provider-Specific Notes
Cloudflare handles long TXT records well. Paste the full value without quotes and Cloudflare splits it internally.
GoDaddy has improved its handling of long records, but older interfaces may still have issues. If your record is not verifying, try splitting it manually with quotes.
Route 53 (AWS) requires you to wrap the value in quotes. For long records, use multiple quoted strings within the same TXT record value field.
Namecheap has a character limit in their DNS management panel. If you hit it, contact their support for assistance or consider using Cloudflare as your DNS provider while keeping Namecheap as your registrar.
cPanel behavior varies depending on the hosting provider and cPanel version. Some newer versions handle splitting automatically. Test after saving.
Quick Checklist
- Generated a 2048-bit key? Expect the record to be around 420 characters
- Getting a "too long" error? Split into quoted strings of 255 characters or fewer
- Record saved but DKIM failing? Check if your provider truncated the value silently
- Provider cannot handle long records? Use CNAME-based DKIM or fall back to 1024-bit
- Not sure if it worked? Verify with a DNS lookup tool after saving
Related Articles
References
- RFC 1035 — Domain Names - Implementation and Specification
Need DKIM keys that work with your DNS provider? Generate them with DKIM Creator.
Generate DKIM keys instantly
Create properly formatted DKIM key pairs for any DNS provider. Free, fast, and ready to paste.
Generate DKIM Keys