What is the purpose of the DKIM 'p=' tag in the public key record?
Michael Ko
Co-founder & CEO, Suped
Published 31 Jan 2025
Updated 8 Nov 2025
7 min read
When delving into email authentication, you quickly encounter DKIM, or DomainKeys Identified Mail. It's a cornerstone of ensuring your emails aren't just sent, but reliably delivered and trusted by recipients. At its core, DKIM uses a pair of cryptographic keys, one private and one public, to verify the sender's authenticity and message integrity.
The public key lives in your domain's DNS records, specifically within a DKIM TXT record. This record contains several DKIM tags, each serving a specific function. Among these, the p= tag holds a uniquely important role: it carries the actual public key itself.
Without a correctly configured p= tag, your DKIM authentication simply won't work. It's the central piece that allows receiving mail servers to cryptographically verify your emails, confirming that they genuinely originated from your domain and haven't been tampered with in transit. Understanding this tag is crucial for maintaining your email deliverability and protecting your domain's reputation.
The basics of DKIM public keys
A DKIM public key is essentially a unique digital fingerprint for your sending domain, stored as part of your DNS TXT record. When you send an email, a digital signature is generated using a corresponding private key. This signature is then attached to the email header. Receiving servers use your public key, retrieved from DNS, to decrypt and verify this signature.
The p= tag in a DKIM record is where this cryptographic public key resides. Other tags within the record, such as the selector (s=), tell the receiving server where to find the specific public key for that email. The h= tag, for instance, specifies the signed headers that should be verified.
Example DKIM public key record
selector1._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn8sQ1q..."
The public key itself is a long string of characters, typically using an RSA algorithm. This key is publicly available, allowing any receiving mail server to retrieve and use it for validation. The key's primary purpose is to ensure that the email content and specific header fields haven't been altered since the original sender applied the digital signature.
Decoding the 'p=' tag's primary role
The p= tag's most crucial role is to contain the public cryptographic key, which is essential for the verification process. When an email server receives an email claiming to be from your domain, it looks up your DKIM record in DNS. It uses the s= tag (selector) to find the correct public key record, then extracts the key from the p= tag.
This public key is then used to decrypt the DKIM signature found in the email header. If the decryption is successful and the resulting hash matches the calculated hash of the email's relevant parts, the DKIM signature is considered valid. This cryptographic handshake confirms the email's authenticity and integrity, a vital step in email authentication.
How DKIM authentication works
Sender signs email: The sending server uses a private key to generate a digital signature for specific email headers and the message body. This signature is added to the email.
Receiver queries DNS: The receiving server checks the DKIM-Signature header for the domain and selector, then queries DNS to retrieve the public key from the p= tag.
Verification occurs: The public key is used to decrypt the signature and verify that the email's content (or specified parts) hasn't been altered, preventing body hash mismatch failures.
An invalid or missing p= tag will cause DKIM authentication to fail, leading to potential DKIM temperrors. This significantly reduces the trustworthiness of your emails and increases the likelihood of them being flagged as spam or rejected outright by email providers like Google and Yahoo. It also leaves your domain vulnerable to spoofing, where malicious actors can send emails pretending to be from you.
Practical implications and common issues
Misconfiguration of the p= tag is a common pitfall. This can happen due to simple typos, incorrect key generation, or even copy-pasting errors when updating your DNS records. Sometimes, a provider might generate a new key, and if the old p= value isn't replaced, authentication will fail.
The impact of an incorrect p= value is direct: emails will not pass DKIM authentication. This directly affects your email deliverability and sender reputation. Mailbox providers use DKIM, along with SPF and DMARC, to assess the legitimacy of incoming mail. A failed DKIM check can result in your emails landing in the spam folder or being rejected entirely. You might also encounter messages like "DKIM record published no DKIM record found" which points to a misconfiguration.
Correct 'p=' configuration
Trust and deliverability: Emails are verified, boosting sender reputation and inbox placement.
Protection against spoofing: Prevents unauthorized use of your domain for sending emails.
DMARC compliance: Essential for passing DKIM alignment under a DMARC policy.
Incorrect 'p=' configuration
Spam folder placement: Emails are often rejected or sent to spam due to authentication failure.
Spoofing vulnerability: Your domain becomes an easy target for phishing and brand impersonation.
To avoid these issues, it is paramount to ensure your DKIM records are always accurate and properly published. Using a reliable DKIM record generator can minimize human error during creation. Furthermore, ongoing DMARC monitoring provides crucial visibility into your authentication status.
Managing your DKIM records
Effective management of your DKIM records, particularly the p= tag, requires diligence. Regularly review your DNS records to ensure the public key is correct and hasn't been accidentally altered or removed. If you change email service providers or update your sending infrastructure, you'll almost certainly need to generate and publish new DKIM keys. Ensure that when you rotate keys, you update the DNS entry for the corresponding selector (s=).
Tools that offer DMARC reporting are invaluable for ongoing monitoring. Suped, for example, consolidates DKIM authentication data, helping you quickly identify any issues with your p= tag or overall DKIM setup. Our AI-powered recommendations go beyond just showing data, telling you exactly what steps to take to resolve issues and strengthen your policy.
Tag
Description
Example
v=
DKIM version (always DKIM1 for current standard).
v=DKIM1
p=
The public key used to verify the email signature. Crucial for authentication.
Granularity of the DKIM selector, specifies which local-part identities are allowed.
g=*
Implementing a strong DMARC policy that leverages both SPF and DKIM is the ultimate goal. A correctly configured p= tag ensures that DKIM passes authentication, contributing to your emails aligning with your DMARC policy. This combined effort significantly improves your email security posture and ensures your messages reach their intended recipients without issues.
Ensuring strong email authentication with DKIM
The DKIM p= tag is more than just a piece of text in your DNS; it's the heart of your DKIM authentication. It contains the public key that allows receiving mail servers to cryptographically verify your emails, confirming their authenticity and ensuring they haven't been tampered with. Without this tag, or with an incorrect value, your emails are vulnerable and likely to face deliverability challenges.
Prioritizing the correct configuration and ongoing monitoring of your DKIM records, especially the p= tag, is essential for robust email security and reliable deliverability. Utilizing comprehensive DMARC monitoring tools like Suped can provide the insights and real-time alerts you need to ensure your emails always reach the inbox.
Google and 
Yahoo. It also leaves your domain vulnerable to spoofing, where malicious actors can send emails pretending to be from you.
