DNS Record Explainer

v=DKIM1
Version tag. Must be "DKIM1" for all current DKIM records. If omitted, defaults to DKIM1 anyway, but explicit is safer.

k=rsa
Key type. RSA is the standard. DKIM supports RSA-SHA256 signing (the modern default). This tag tells receivers what algorithm generated the signature they'll validate against this public key.

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...
Public key material (base64-encoded). This is the RSA public key receivers use to verify signatures on your outbound mail. Truncated in your input, so I can't validate the actual key, but structurally this looks correct. The key should be ~1024–2048 bits; anything shorter than 1024 is weak, longer than 4096 is wasteful.

• Truncated value: the p= data cuts off. Verify the full key is in your DNS record—DKIM keys are often split across multiple TXT strings due to 255-char DNS limits. Most DKIM validators handle this transparently, but misconfiguration here is common.

• No optional tags present: you're not setting t=, h=, or s= flags. This is fine for standard deployments. t=y (test mode) would disable enforcement; s=email restricts to user@domain only. Defaults are sensible if you're in production.

• Key type assumption: k=rsa is assumed but good to confirm your signing service actually uses RSA-SHA256, not EdDSA (not yet widely supported) or something exotic.

DKIM is the signature mechanism for SPF+DKIM+DMARC authentication chains. Without this record, receivers can't validate signatures on mail you send. Gmail, Outlook, and others will downrank unsigned mail, and DMARC fail policies (reject/quarantine) won't fire. This record lives in DNS as `selector._domainkey.yourdomain.com` (the selector name varies per signing service—commonly "default" or "google").

→ /tools/dkim-checker run the live checker on a real domain → /blog/dkim-key-not-found