What is an RSA public key in DKIM?

An RSA public key in DKIM is a cryptographic key published in your domain's DNS TXT record. It allows recipient mail servers to verify the authenticity of an email by decoding the DKIM signature, which was created using a corresponding private key held by the sender.

Why do DKIM public keys become invalid?

DKIM public keys become invalid primarily due to incorrect formatting, such as truncation, hidden characters, line breaks, or improper base64 encoding when entered into the DNS TXT record. A mismatch between the generated private and public key also causes invalidation.

How do DNS TXT record limits affect DKIM keys?

DNS TXT records have character limits, typically around 255 characters. If your DKIM public key is longer than this limit, it must be split into multiple string segments within the same TXT record, enclosed in double quotes and separated by a space. Incorrect splitting leads to errors.

Can copy-pasting cause public key errors?

Yes, copy-pasting is a common cause of public key errors. Text editors or DNS interfaces can introduce invisible characters, line breaks, or truncate the key, leading to a "bad base64 decode" or similar parsing error. Always ensure a clean copy and paste of the exact string.

How often should I check my DKIM records?

You should check your DKIM records whenever you make changes to your DNS, email service provider, or mail server configuration. Additionally, regular, proactive monitoring using DMARC reports or online tools can help catch issues early.

What tools can help me verify my DKIM record?

Various online DKIM checkers allow you to input your domain and selector to fetch and validate your DKIM record. These tools often provide detailed error messages that can help pinpoint the exact problem with your public key.

What causes invalid RSA public key errors in DKIM records and how can I fix it? - Technical - Email deliverability - Knowledge base

Dealing with email authentication issues can be frustrating, especially when it involves cryptic errors like "invalid RSA public key" in your DKIM records. This specific error means that your email’s digital signature, which helps verify its authenticity, cannot be read or processed correctly by the recipient’s server. When this happens, your emails might not reach the inbox and could instead be flagged as spam or rejected entirely.

DKIM, or DomainKeys Identified Mail, uses a pair of cryptographic keys, a private key for signing outbound emails and a public key published in your domain's DNS records, for verification. The RSA algorithm is commonly used to generate these keys, providing the cryptographic backbone for the signature. A valid RSA public key is crucial for email receivers like

Google and

Yahoo to confirm that an email truly originated from your domain and hasn't been tampered with in transit. Without it, your emails are at risk of not being delivered.

When you encounter this error, it typically points to a problem with how the public key is formatted or stored in your DNS. It means the system trying to verify your email cannot properly decode or interpret the key data. This article explores the common reasons behind these invalid key errors and provides actionable steps to help you resolve them and ensure your DKIM authentication works flawlessly.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding the error: 'Invalid RSA public key'

An invalid RSA public key error often indicates that the public key published in your DKIM TXT record cannot be correctly parsed by mail servers. The RSA public key in a DKIM record is essentially a long string of base64 encoded characters. For verification to succeed, this string must be precise, without any alterations, missing characters, or additional formatting. Even a single misplaced character can render the entire key unusable, leading to authentication failures and potentially impacting your email deliverability.

One of the most frequent causes I’ve observed is incorrect formatting or truncation. The public key is typically a long string of characters, and when it’s copied and pasted into a DNS TXT record, it's susceptible to errors. These can include missing characters, accidental line breaks, or the addition of hidden characters. For example, some DNS providers automatically split long TXT records, but if not handled correctly during migration or manual input, these splits can introduce errors. It is also important to note that the key should be in PKCS#1 "RSAPublicKey" format, not SSHv2 format, as highlighted in a discussion on Stack Exchange about DKIM failures.

Another common pitfall is the presence of invalid characters or incorrect encoding. The public key relies on base64 encoding, which has a specific character set. Any character outside this set, or an improperly encoded string, can cause the OpenSSL error: bad base64 decode. This usually points to a literal error in the string's structure, making it impossible for verification tools to process. It’s a bit like having a corrupted file; the data is there, but it can’t be read.

Common culprits behind DKIM public key errors

The public key's storage in your DNS plays a critical role. DNS TXT records have character limits, and if your key is too long for a single record, it needs to be split into multiple strings within the same TXT record. This is typically done by enclosing each segment in double quotation marks and separating them with a space. If this splitting is done incorrectly, or if a DNS provider automatically splits the key in a non-standard way, it can lead to validation errors.

A key challenge is the mismatch between the private and public keys. When you generate a DKIM key pair, the public key is mathematically derived from the private key. If the public key published in your DNS doesn't exactly match the one generated, verification will fail. This often occurs if the key was manually edited, regenerated without updating the DNS, or if there's a typo in the DNS record. According to an article from DuoCircle, manual configuration without a proper generator is a frequent source of public key errors.

Finally, DNS propagation delays can sometimes lead to temporary invalid key errors. After updating your DKIM record, it can take anywhere from a few minutes to 48 hours for the changes to propagate across the internet. During this period, some mail servers might still be retrieving the old or incomplete record, resulting in verification failures. This is less about the key being truly invalid and more about the network not yet reflecting the correct information, but it presents similarly.

Diagnosing and fixing invalid RSA public key errors

To diagnose an invalid RSA public key error, the first step is to verify your DKIM record. You can use online DKIM checkers by providing your domain and the DKIM selector. These tools will fetch your DNS record and attempt to validate the public key, often providing specific error messages if something is wrong. Pay close attention to any parsing errors or indications of incorrect base64 decoding. Google Workspace offers guidance on verifying DKIM setup, which can be a good reference.

Before fix

Truncated key: The public key string in the DNS record is cut short.
Hidden characters: Invisible line breaks or other non-printable characters are present.
Incorrect splitting: If the key was split, it was done improperly (e.g., missing quotes, extra spaces).
Typographical errors: A character was mistakenly changed or omitted during manual entry.

Once you've identified the issue, the fix often involves carefully updating your DNS record. First, retrieve the original, correct public key from your email service provider or mail server. This is the key that was generated to match your private signing key. Then, log into your DNS management interface and locate the DKIM TXT record associated with your selector.

Microsoft Office 365, for example, provides specific DKIM setup instructions. Ensure you replace the entire p= value with the correct, full string. If the key needs to be split due to length, ensure each part is enclosed in double quotes and separated by a single space, like "part1" "part2". Double-check for extra spaces, line breaks, or characters. After updating, allow for DNS propagation, then test your DKIM record again.

Best practices for DKIM key management

Preventing these errors in the first place involves careful management of your DKIM keys. When generating new keys, always use a reliable key generator provided by your email service, mail server software, or a trusted third-party tool. This ensures the key is in the correct format and encoding. Avoid manual editing of the key string. Once generated, copy the public key directly and paste it into your DNS management interface. Even if the records appear accurate, validation can fail if hidden formatting issues exist.

Key management best practices

Use automated tools: If possible, use an automated system to publish DKIM records.
Validate before use: Always test your new DKIM record with a checker immediately after publishing.
Document your keys: Keep a secure, unformatted copy of your public key in your records.
Regular auditing: Periodically audit your DKIM records to ensure they remain valid.

Regular monitoring of your email authentication (including SPF, DKIM, and DMARC) is also key. Tools that provide DMARC reports can alert you to DKIM authentication failures, allowing you to catch invalid key errors early before they significantly impact your sender reputation or deliverability. Proactive monitoring helps you maintain a strong email sending infrastructure.

Views from the trenches

Best practices

Always use the exact key provided by your email service, without any manual edits.

Confirm that the key length is appropriate for your DNS provider's TXT record limits.

Regularly check your DKIM records after any DNS changes or migrations to catch issues early.

Common pitfalls

Copying and pasting the key from a text editor that introduces line breaks or hidden characters.

Truncating the key due to DNS record length limitations without proper splitting.

Using an outdated or incorrect public key after a key rotation.

Expert tips

If using OpenSSL to generate keys, ensure the output format is suitable for DNS TXT records.

Verify that your DNS provider supports the necessary length for DKIM TXT records and handles splitting correctly.

Consider generating 2048-bit RSA keys for stronger security, ensuring your DNS provider supports the longer TXT record required.

Expert view

Expert from Email Geeks says a bad base64 decode error usually indicates that the public key is malformed in some way.

2024-01-26 - Email Geeks

Expert view

Expert from Email Geeks says many key length issues occur because base64 encoded data should always be an even number of characters long.

2024-01-26 - Email Geeks

Ensuring your DKIM records are valid

An invalid RSA public key error in your DKIM records is a critical issue that can severely impact your email deliverability and sender reputation. These errors, often stemming from subtle formatting mistakes, truncation, or incorrect DNS entries, prevent recipient mail servers from verifying your email's authenticity.

By understanding the common causes and implementing systematic troubleshooting, you can quickly identify and rectify these problems. Adopting best practices for key generation, DNS management, and continuous monitoring is essential for maintaining a robust email authentication posture and ensuring your messages consistently reach their intended inboxes.