The DKIM tag used to specify the public key is the p= tag. This tag is the most critical component of a DKIM record because it contains the actual public key data that receiving mail servers use to verify the authenticity of an email.
When you set up DKIM (DomainKeys Identified Mail), you are essentially creating a digital signature for your emails. This process involves a pair of cryptographic keys: a private key that stays on your server to sign outgoing emails, and a public key that you publish in your domain's DNS records. The p= tag is how you publish that public key for the world to see.
A DKIM record isn't just one monolithic piece of text; it's constructed from several smaller components called tags. These tags are key-value pairs separated by semicolons, each defining a specific attribute of the DKIM signature.
Think of these tags as instructions for the receiving email server. They tell the server what version of DKIM is being used, what the public key is, which signing algorithm was used, and more. Understanding the basics of DKIM syntax is fundamental to troubleshooting any email authentication issues.
The p= tag's value is the Base64-encoded public key. When a mail server receives an email with a DKIM signature, it finds the selector and domain from the email headers, looks up the corresponding DKIM record in the DNS, and extracts the public key from the p= tag. This key is then used to decrypt the signature and verify the message's integrity.
It's important to note that if the p= tag is present but has an empty value (e.g., p=), it signifies that this particular DKIM key has been revoked and should not be used for verification. This is a security measure to disable a compromised key. As highlighted in an AWS support discussion, a missing or empty 'p' tag will cause verification to fail.
While p= holds the key, it doesn't work in isolation. Several other tags are necessary for a functional DKIM record.
In summary, the p= tag is the star of the show, carrying the public key itself. However, it relies on its supporting cast of other tags like v=, s=, and d= to provide the full context needed for a receiving server to perform a successful DKIM verification.