DKIM Record Syntax: Is the “v=DKIM1;” Tag Required for Email Authentication?


3 views

When examining DKIM (DomainKeys Identified Mail) records, the RFC 6376 specification defines them as tag-value pairs separated by semicolons. The complete format should appear as:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Many email service providers implement DKIM records without the version tag. While technically non-compliant with RFC 6376, this approach has become common in practice. Your provider's record:

k=rsa; p=hGF6ksa9fjf8SD6bcKk...

still functions because:

  • Modern DKIM validators assume DKIM1 as default version
  • The cryptographic components (k= and p=) contain the essential information

To verify if your simplified DKIM record works, use these diagnostic commands:

# Using dig to check DNS record
dig TXT selector._domainkey.yourdomain.com

# Testing with OpenDKIM
opendkim-testkey -d yourdomain.com -s selector -vvv

The v=DKIM1 tag becomes crucial in these scenarios:

  • Interoperability with strict RFC-compliant systems
  • Future DKIM version upgrades (DKIM2, etc.)
  • Some enterprise email security gateways

While your current setup likely works, best practice suggests:

# Ideal DKIM record format
v=DKIM1; k=rsa; p=hGF6ksa9fjf8SD6bcKk...

Submit a feature request to your provider for RFC-compliant records. In the meantime, monitor your email deliverability using:

# DMARC report analysis tool
python3 dmarc-parser.py -f report.xml

When examining DKIM records across different providers, you'll encounter variations in syntax. The v=DKIM1; prefix was originally specified in RFC 6376 as the version identifier, but many modern implementations omit it without issues.

RFC 6376 Section 3.6.1 states:

   The tag value MUST match the following syntax:
   
   v= Version (plain-text; RECOMMENDED, default is "DKIM1")

Key points to note:

  • The "RECOMMENDED" keyword in RFCs means implementers should include it but may choose not to
  • The default value is "DKIM1" when omitted
  • Most DKIM verifiers will handle records either way

Here's how different providers handle DKIM records:

# Google Workspace DKIM record (includes version)
google._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MII..."

# AWS SES DKIM record (omits version)
aws._domainkey.example.com. 3600 IN TXT "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

To verify your DKIM setup works regardless of version syntax:

# Using dig to check record
dig +short TXT google._domainkey.example.com

# Using OpenDKIM tools
opendkim-testkey -d example.com -s google -vvv

Some legacy systems or strict validators may require the version tag. Consider including it if you encounter:

  • Bounce messages mentioning DKIM version errors
  • DMARC reports showing DKIM alignment failures
  • Interoperability issues with older mail servers

Testing with current DKIM validators shows:

/* Sample DKIM verification output (simplified) */
{
  "result": "pass",
  "signature": {
    "version": "DKIM1", // Inferred when missing
    "algorithm": "rsa-sha256",
    "selector": "google"
  }
}

While technically optional, for maximum compatibility:

  1. Keep existing working records as-is
  2. Include v=DKIM1 when creating new records
  3. Test with multiple validators like MXToolbox or DMARC Analyzer