What DKIM tag is used to specify the public key?

The DKIM tag used to specify the public key is the p= tag. This tag is the most critical component of a DKIM record because it contains the actual public key data that receiving mail servers use to verify the authenticity of an email.

Email on Acid says:

Visit website

p= The public key, which pairs with the encrypted DKIM signature. The only required tag in the DNS record is the public key ( p= ).

When you set up DKIM (DomainKeys Identified Mail), you are essentially creating a digital signature for your emails. This process involves a pair of cryptographic keys: a private key that stays on your server to sign outgoing emails, and a public key that you publish in your domain's DNS records. The p= tag is how you publish that public key for the world to see.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

A DKIM record isn't just one monolithic piece of text; it's constructed from several smaller components called tags. These tags are key-value pairs separated by semicolons, each defining a specific attribute of the DKIM signature.

NsLookup.io says:

Visit website

DKIM tags specify attributes of a DKIM key, including the public key itself. Every DKIM record must begin with the version tag "v".

Think of these tags as instructions for the receiving email server. They tell the server what version of DKIM is being used, what the public key is, which signing algorithm was used, and more. Understanding the basics of DKIM syntax is fundamental to troubleshooting any email authentication issues.

The p= tag's value is the Base64-encoded public key. When a mail server receives an email with a DKIM signature, it finds the selector and domain from the email headers, looks up the corresponding DKIM record in the DNS, and extracts the public key from the p= tag. This key is then used to decrypt the signature and verify the message's integrity.

Tools, Utilities and Calculators - WintelGuy.com says:

Visit website

p, Public-key data. The syntax and semantics of this tag value are defined by the "k=" tag. An empty value means that this public key has been revoked.

It's important to note that if the p= tag is present but has an empty value (e.g., p=), it signifies that this particular DKIM key has been revoked and should not be used for verification. This is a security measure to disable a compromised key. As highlighted in an AWS support discussion, a missing or empty 'p' tag will cause verification to fail.

While p= holds the key, it doesn't work in isolation. Several other tags are necessary for a functional DKIM record.

• v=: The version tag. This is almost always v=DKIM1. It must be the first tag in the record.
• k=: The key type. This specifies the algorithm suite. The default is rsa.
• s=: The selector. This is a specific string used to help locate the public key in your domain's DNS. It allows for multiple DKIM keys on a single domain.
• d=: The domain. This is the domain name that the DKIM signature is associated with.

DMARC Director says:

Visit website

s= It indicates the DKIM selector Tag used for finding the public key in a domain's DNS. A name or number will be assigned to this field. d= It specifies the domain of the sender.

In summary, the p= tag is the star of the show, carrying the public key itself. However, it relies on its supporting cast of other tags like v=, s=, and d= to provide the full context needed for a receiving server to perform a successful DKIM verification.