How to Read DKIM Records Correctly
Learn how to read DKIM records, understand selector hostnames and key tags, and spot the difference between valid publishing and weak configurations.
Tools For This Topic
What a DKIM record actually is
A DKIM record is usually a TXT record published at a selector hostname such as selector1._domainkey.example.com. It contains the public key and related tags that receiving mail servers use to validate DKIM signatures.
Reading a DKIM record correctly means understanding both the selector naming pattern and the meaning of the tags inside the TXT value.
Example DKIM record
selector1._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."The selector is selector1, the version tag is DKIM1, the key type is rsa, and the p tag contains the public key material.
How to read the important tags
- v=DKIM1 identifies the record as a DKIM key record
- k= usually identifies the key type, commonly rsa
- p= contains the public key and is usually the most important field
- t= may be used for flags such as testing in some deployments
- n= may contain notes, though many deployments omit it
In real troubleshooting, the most common checks are whether the selector exists, whether the p value is present and valid, and whether the sending platform is using the selector you expect.
Why selector names matter
The selector is part of the DNS name, not just part of the TXT value. That means a perfectly valid DKIM TXT record can still fail to help if you are querying the wrong selector hostname.
This is one reason DKIM troubleshooting often starts with identifying the active selector from email headers or by testing common selector patterns.
Common signs of DKIM trouble
- The selector hostname returns no TXT record
- The p tag is empty or malformed
- The sending platform signs with a selector that is not published in DNS
- The record exists but belongs to an old provider or old key rotation
- Email headers show a selector that does not match the domain's current setup
How to review DKIM in practice
Start by identifying the selector from a known-good email header or by testing likely selectors. Then inspect the TXT record at the full selector hostname and compare it with the signing behaviour you see in Authentication-Results or DKIM-Signature headers.
That combination tells you whether the issue is DNS publishing, selector discovery, or the sending platform itself.
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
How to Read CNAME Chains Correctly
Learn how to read CNAME chains, understand alias targets step by step, and spot stale, looping, or takeover-prone CNAME configurations.
How to Read CAA Records Correctly
Learn how to read CAA records, understand issue, issuewild, and iodef tags, and tell whether certificate issuance is properly restricted for a domain.
How to Read NS Records Correctly
Learn how to read NS records, understand what they say about delegation, and spot signs of stale nameservers, mismatches, or broken authority.