---
title: "What is the right way to split DKIM keys? | DMARC Report"
description: "What is the right way to split DKIM keys? from DMARC Report explains practical steps for email authentication, domain protection, deliverability, and DMARC."
image: "https://dmarcreport.com/og/blog/what-is-the-right-way-to-split-dkim-keys.png"
canonical: "https://dmarcreport.com/blog/what-is-the-right-way-to-split-dkim-keys/"
---
Quick Answer
DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report What is the right way to split DKIM keys?
Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/)
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fwhat-is-the-right-way-to-split-dkim-keys%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20is%20the%20right%20way%20to%20split%20DKIM%20keys%3F&url=undefined%2Fblog%2Fwhat-is-the-right-way-to-split-dkim-keys%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fwhat-is-the-right-way-to-split-dkim-keys%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fwhat-is-the-right-way-to-split-dkim-keys%2F&title=What%20is%20the%20right%20way%20to%20split%20DKIM%20keys%3F "Share on Reddit") [ ](mailto:?subject=What%20is%20the%20right%20way%20to%20split%20DKIM%20keys%3F&body=Check out this article: undefined%2Fblog%2Fwhat-is-the-right-way-to-split-dkim-keys%2F "Share via Email")
## Try Our Free DKIM Lookup
Auto-discover DKIM selectors for any domain - scan 185 common selectors across all major providers.
[ Discover DKIM Selectors → ](/tools/dkim-lookup/)
> The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost.
DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report
What is the right way to split DKIM keys?
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-17557” readonly/>
```
```
DNS limitations sometimes require splitting DKIM keys. Splitting keys helps ensure compatibility with DNS limitations, especially when dealing with long keys that offer stronger security. _Usually, DKIM keys are split at the time of initial configuration if they exceed the DNS length limits_. Most DNS providers impose a limit of 255 characters per line, so if your **key exceeds this limit**, it will fail to fit in the [TXT record](https://www.digicert.com/faq/dns/what-is-a-txt-record) as a single string.
Another reason why splitting [DKIM keys](https://dmarcreport.com/blog/setting-dkim-keys-for-salesforce/) is suggested is that if you try to insert a very long key without splitting it, a few DNS providers may truncate the data or produce errors. Splitting ensures that the entire key is intact and readable by DNS resolvers for validation . To enhance [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) and prevent spoofing, it’s essential to properly configure DKIM by splitting long keys into manageable segments\*\*, ensuring they fit within DNS limitations and work seamlessly with [SPF](https://dmarcreport.com/what-is-spf/) and [DMARC](https://dmarcreport.com/) for comprehensive email authentication.
## When to split DKIM keys?
Here are the cases in which you may need to split DKIM keys:
## Using a 2048-bit or longer key
Any key shorter than **2048-bit is considered weak**. So, if you also use a [2048-bit](https://sendgrid.com/en-us/blog/2048-bit-dkim-keys) or longer key, you will have to split it as it surpasses [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) character limits.
## If you receive an error from your DNS provider
If you have added a long key as a single string, there are high chances of errors. If your provider alerts you of character limitations or [data truncation](https://en.wikipedia.org/wiki/Data%5Ftruncation), splitting the key is not just necessary but urgent to **prevent potential issues**.
## Testing reveals issues in the DKIM configuration
If \*\*DKIM lookup tools show problems setting up [DKIM](https://dmarcreport.com/what-is-dkim/), there is a possibility of a truncated or incorrectly formatted key in your DNS. _In such cases, splitting the key is encouraged_.
## High-security needs in your domain’s email authentication
Organizations handling [sensitive data](https://www.imperva.com/learn/data-security/sensitive-data/) or high-volume [email traffic](https://emailanalytics.com/email-traffic/) often require strong \*\*DKIM authentication to [prevent spoofing](https://www.bleepingcomputer.com/news/google/google-now-blocks-spoofed-emails-for-better-phishing-protection/). _In such cases, using a longer key is essential, and splitting becomes part of the setup_.
## Steps to split DKIM keys
- **Step 1**: Use a tool to generate a **DKIM key pair**. This will produce a [private key](https://www.techtarget.com/searchsecurity/definition/private-key) (used by your [mail server](https://www.activecampaign.com/glossary/mail-server)) and a public key (added to your DNS).
- **Step 2**: Format the [public key](https://www.investopedia.com/terms/p/public-key.asp). A typical DKIM public key starts with v=DKIM1; k=rsa; p= , followed by a long string representing the public key. The key after p= can be very long, often exceeding DNS provider limits, so it must be split.
- **Step 3**: _Split the key by dividing the p= value into smaller chunks, making sure each chunk adheres to your DNS provider’s character limit_. You can do this by cutting the key into segments at convenient points (avoid splitting in the middle of a character pair if possible).
- **Step 4**: Place each \*\*chunk in quotation marks and add line breaks between each chunk in your [DNS settings](https://www.ntchosting.com/encyclopedia/dns/settings/).
Example:
`v=DKIM1; k=rsa; p="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3/o5a/oFE""AXV6Y9WVB13eXdPd7RtyBLAtYj3UeS9fZ2YxNs6y0vUKF4rzL""jXpvlpclBG1QgDFe/lJkzW+mG/gFJLZf4BBSdjFhJxdyHb7Yp""ITm+m2EvLUuoOnYeYyU9lkUjiJBLRe0CRHsp7iKrmiU+AiFYk""MfuBAozv0QIDAQAB"`
Each line here is within the character limits and enclosed in quotes. When saved, it should \*\*automatically reassemble into the full \[DKIM key\](https://dmarcreport.com/blog/setting-dkim-keys-for-salesforce/) for verification.
- **Step 5**: Use a tool like dig or check your domain’s [DKIM configuration](https://www.getresponse.com/help/what-is-dkim-and-how-to-configure-it.html) using online checkers to ensure the key has been added correctly and is readable as a single, concatenated key.
Following these steps ensures your DKIM key fits within \*\*DNS limitations and remains effective for [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/).
## Topics
[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)
[ Brad Slavin ](/authors/brad-slavin/)
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"What is the right way to split DKIM keys?","description":"What is the right way to split DKIM keys? from DMARC Report explains practical steps for email authentication, domain protection, deliverability, and DMARC.","url":"https://dmarcreport.com/blog/what-is-the-right-way-to-split-dkim-keys/","datePublished":"2024-10-31T10:48:07.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2024-10-31T10:48:07.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/what-is-the-right-way-to-split-dkim-keys/"},"articleSection":"foundational","keywords":"dkim, DMARC, email security, SPF","wordCount":897,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"What is the right way to split DKIM keys?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"What is the right way to split DKIM keys?","item":"https://dmarcreport.com/blog/what-is-the-right-way-to-split-dkim-keys/"}]}
```