DomainSecurityScanner
High SeverityDKIM

Fix: DKIM Record Syntax Error

Your DKIM DNS record contains a syntax error that prevents it from being parsed correctly. Common issues include missing or malformed tags, line breaks in the key, or incorrect quoting.

Quick Fix

Fix formatting issues in your DKIM TXT record (common: missing quotes, line breaks in key, wrong selector).

What This Error Means

The DKIM TXT record exists but cannot be parsed as a valid DKIM key record. This causes DKIM verification to fail for all emails signed with this selector.

Why It Matters

A DKIM record with a syntax error is effectively the same as having no DKIM record. All DKIM verification will fail, removing DKIM from your DMARC alignment options.

Step-by-Step Fix

1

Retrieve and inspect the record

Pull the raw record from DNS and look for formatting issues.

Example
dig +short TXT selector._domainkey.yourdomain.com
2

Check the record format

A valid DKIM record must contain v=DKIM1, k=rsa (or k=ed25519), and p= followed by the base64-encoded public key with no spaces or line breaks.

Before
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA...
After
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
3

Remove line breaks from the public key

When copying the public key from your provider, line breaks are sometimes included. The p= value must be one continuous base64 string.

Before
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xyz123abc456def789...
After
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyz123abc456def789...
4

Verify the corrected record

After fixing, send a test email and confirm DKIM passes.

Example
dig +short TXT selector._domainkey.yourdomain.com
# Should return a clean, parseable DKIM record

Common Gotchas

  • When DNS providers split long TXT records into multiple strings, make sure the split does not occur in the middle of a tag name or value.
  • An empty p= tag (p=;) is valid and means the key has been revoked. This is intentional for key rotation, not an error.
  • Some DNS providers add extra quotes or escape characters that corrupt the record. Check the raw DNS response.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

What is the correct format for a DKIM TXT record?

v=DKIM1; k=rsa; p=BASE64ENCODEDPUBLICKEY — The v= tag is the version, k= is the key type (usually rsa), and p= is the base64-encoded public key with no spaces or line breaks.

What does an empty p= tag mean?

An empty p= tag (v=DKIM1; k=rsa; p=;) means the key has been intentionally revoked. This is used during key rotation to signal that the old selector is no longer valid.

How do I know if my DNS provider is corrupting the record?

Compare the value you entered in your DNS panel with what is returned by dig. If there are extra quotes, spaces, or truncation, your DNS provider may be modifying the value.

Related Issues

No DKIM RecordDKIM Key Too ShortNo DKIM SignatureAll Fix Guides →