OPENPGPKEY Record Security
The OPENPGPKEY record publishes OpenPGP public keys in DNS, enabling automatic discovery of encryption keys for email addresses. Defined in RFC 7929, it's part of the DANE (DNS-Based Authentication of Named Entities) family of protocols.
Look Up OPENPGPKEY Records
Check OPENPGPKEY records for any domain using our free DNS lookup tool.
Look Up OPENPGPKEY Records →What Is an OPENPGPKEY Record?
OPENPGPKEY records store OpenPGP/GPG public keys directly in DNS, allowing email clients to automatically find encryption keys for recipients:
- Automatic key discovery — Find keys without key servers
- Email encryption — Enable encrypted email to any address
- DNSSEC validation — Keys are authenticated via DNSSEC
- Decentralized distribution — Domain owner controls their keys
OPENPGPKEY Record Format
Example OPENPGPKEY Record
<hash>._openpgpkey.example.com. IN OPENPGPKEY <base64-key>The hash is derived from the local part of the email address.
Record Name Construction
For email address [email protected]:
- Take the local part:
user - Convert to lowercase:
user - Compute SHA-256 hash
- Encode first 28 bytes as hex (56 characters)
- Append
._openpgpkey.example.com.
# Example for [email protected]
29a5d...5c2f._openpgpkey.example.com. OPENPGPKEY mQENBF...OPENPGPKEY vs Key Servers
| Aspect | OPENPGPKEY (DANE) | Key Servers |
|---|---|---|
| Control | Domain owner controls | Third-party operated |
| Authentication | DNSSEC validation | Web of Trust / signatures |
| Revocation | Remove DNS record | Publish revocation cert |
| Privacy | Email addresses hashed | Often searchable |
| Availability | Depends on DNS | Depends on key server |
Setting Up OPENPGPKEY
1. Generate the Hash
# For [email protected]
echo -n "user" | sha256sum | cut -c1-56
# Result: 29a5d...5c2f2. Export the Public Key
# Export in binary format, then base64 encode
gpg --export [email protected] | base64 -w03. Create the DNS Record
29a5d...5c2f._openpgpkey.example.com. 3600 IN OPENPGPKEY mQENBF...Client Support
Email clients and tools that support OPENPGPKEY:
- GnuPG —
--auto-key-locate dane - Sequoia PGP — Built-in DANE support
- Thunderbird — With OpenPGP enabled
- Various libraries — DNS-based key lookup
Using with GnuPG
# Enable DANE key lookup
gpg --auto-key-locate dane --locate-keys [email protected]
# Or in gpg.conf
auto-key-locate daneOPENPGPKEY Best Practices
- Use DNSSEC — Essential for key authenticity; unsigned records are untrustworthy.
- Minimal key export — Export only the public key, not user IDs or subkeys.
- Regular updates — Update records when keys change or expire.
- Test thoroughly — Verify records work with common clients.
- Consider key size — Very large keys may cause DNS issues.
Security Considerations
- DNSSEC required — Without DNSSEC, keys can be spoofed by attackers.
- Single point of control — Domain owner controls all keys for their domain.
- No revocation distribution — Clients should also check revocation status.
- Hash collisions — Truncated hash could theoretically collide (unlikely).
Troubleshooting OPENPGPKEY
Common issues and solutions:
- Key not found — Verify hash calculation is correct.
- Invalid key format — Ensure binary export, not ASCII-armored.
- DNSSEC validation fails — Check zone is properly signed.
- Client not using DANE — Enable DANE lookup in client settings.
- Record too large — Consider using smaller key or multiple records.
Monitor Your PGP Key Distribution
DNS Explorer validates OPENPGPKEY records, checks DNSSEC status, and tracks your email encryption configuration.
Start free DNS Explorer trial14-day full-feature trial
Check Your OPENPGPKEY Records
Use our DNS Record Finder to look up OPENPGPKEY records for any domain.
Look Up OPENPGPKEY Records →Related Record Types
- SMIMEA Record — S/MIME certificate in DNS
- TLSA Record — TLS certificate association
- SSHFP Record — SSH fingerprints
- TXT Record — Alternative key publishing