DKIM glossary

What does t=y mean in a DKIM record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

t=y is the testing flag in a DKIM public-key record: it signals the domain is still testing DKIM. Per RFC 6376, receivers must not treat a test-mode signature differently from unsigned mail, though they may note it. Leaving t=y in production advertises an unfinished rollout — remove it once signing works.

t=y at a glance
Tagt (flags, key record)
Valid valuesy (testing) and/or s (strict i=/d= matching), colon-separated — e.g. t=y, t=s, t=y:s
DefaultOptional; with no t= tag there are no flags and no testing or strict behaviour.
Where it goesIn the _domainkey TXT record (the DNS key), not in the DKIM-Signature header.

How t=y works

t= sets flags on the DNS key record, and y is the testing flag. It announces that the domain is still trialling DKIM. Per RFC 6376, verifiers must not treat a signature from a testing key differently from unsigned mail — even if it fails to verify — though they may make a note of it.

That safety is also the catch. Leaving t=y in place after go-live tells the world your rollout is unfinished and effectively tells receivers not to lean on your signatures. Once you've confirmed signing works end to end, remove t=y so your DKIM actually carries weight.

The t tag can carry a second flag, s, for strict identity matching: it requires the i= identity to share the exact domain of d=, forbidding subdomains. The two combine as t=y:s. Use s deliberately — it's a tightening, not a default.

Correct record vs common mistake

Correct

v=DKIM1; k=rsa; p=MIIBIjANBgkq...IDAQAB

A finished, production key: no t=y flag, so receivers give the signature full weight.

Common mistake

v=DKIM1; k=rsa; t=y; p=MIIBIjANBgkq...IDAQAB

t=y left in production. Receivers may treat the signature like unsigned mail, so DKIM does nothing for you — remove the testing flag once signing is verified.

Troubleshooting t=y

IssueLikely causeFix
DKIM 'passes' but gives no protectiont=y still set, so receivers treat the signature like unsigned mailRemove the t=y flag from the key record once signing is verified
Subdomain identity rejectedt=s (strict) requires i= to match d= exactly, blocking subdomainsDrop the s flag if you need subdomain identities, or align i= with d=
Testing flag forgotten after onboardingt=y was added during setup and never removedMake removing t=y a step in your go-live checklist and re-check the record

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

A t=y left behind after onboarding is easy to miss and quietly neutralizes DKIM for that client — receivers are told not to trust the signatures. Across many tenants, forgotten testing flags mean domains that look DKIM-enabled but get no real protection from it.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade checks whether each client's key is still flagged for testing and confirms signatures are being honored, so a stray t=y is caught and cleared before the domain is advanced to reject.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

It's the testing flag on the DNS key. It tells receivers the domain is still testing DKIM, so they must not treat the signature differently from unsigned mail. Remove it once signing works.

No. In production, t=y signals an unfinished rollout and tells receivers not to rely on your signatures. Remove it after you've verified DKIM is signing and verifying correctly.

It's the strict flag: the i= identity must use the exact same domain as d=, with no subdomains allowed. It's an optional tightening, combined with testing as t=y:s.

Not directly — it doesn't cause a failure. It tells receivers to treat the signature as if it weren't there, so a passing signature simply stops counting for you.

Related terms

What is DKIM? DomainKeys Identified Mail explained