How does OPENPGPKEY naming work?

The record name is constructed by hashing the local part of the email address with SHA-256, taking the first 56 hex characters, then appending ._openpgpkey.domain. This provides privacy for email addresses.

What's the difference between OPENPGPKEY and key servers?

OPENPGPKEY gives domain owners control over their keys with DNSSEC authentication. Key servers are third-party operated using Web of Trust. OPENPGPKEY hashes email addresses for privacy while key servers are often searchable.

Does OPENPGPKEY require DNSSEC?

Yes, DNSSEC is essential for OPENPGPKEY security. Without DNSSEC, an attacker could publish fake PGP keys and intercept encrypted email. The zone must be properly signed.

OPENPGPKEY Record Security

Q: What is an OPENPGPKEY record?

An OPENPGPKEY record (RFC 7929) publishes OpenPGP public keys in DNS for automatic email encryption key discovery. It's part of the DANE family, allowing email clients to find PGP keys without traditional key servers.

The OPENPGPKEY record publishes OpenPGP public keys in DNS, enabling automatic discovery of encryption keys for email addresses. Defined in RFC 7929, it's part of the DANE (DNS-Based Authentication of Named Entities) family of protocols.

Look Up OPENPGPKEY Records

Check OPENPGPKEY records for any domain using our free DNS lookup tool.

Look Up OPENPGPKEY Records →

What Is an OPENPGPKEY Record?

OPENPGPKEY records store OpenPGP/GPG public keys directly in DNS, allowing email clients to automatically find encryption keys for recipients:

Automatic key discovery — Find keys without key servers
Email encryption — Enable encrypted email to any address
DNSSEC validation — Keys are authenticated via DNSSEC
Decentralized distribution — Domain owner controls their keys

OPENPGPKEY Record Format

Example OPENPGPKEY Record

<hash>._openpgpkey.example.com.    IN    OPENPGPKEY    <base64-key>

The hash is derived from the local part of the email address.

Record Name Construction

For email address [email protected]:

Take the local part: user
Convert to lowercase: user
Compute SHA-256 hash
Encode first 28 bytes as hex (56 characters)
Append ._openpgpkey.example.com.

# Example for [email protected]
29a5d...5c2f._openpgpkey.example.com.    OPENPGPKEY    mQENBF...

OPENPGPKEY vs Key Servers

Aspect	OPENPGPKEY (DANE)	Key Servers
Control	Domain owner controls	Third-party operated
Authentication	DNSSEC validation	Web of Trust / signatures
Revocation	Remove DNS record	Publish revocation cert
Privacy	Email addresses hashed	Often searchable
Availability	Depends on DNS	Depends on key server

Setting Up OPENPGPKEY

1. Generate the Hash

# For [email protected]
echo -n "user" | sha256sum | cut -c1-56
# Result: 29a5d...5c2f

2. Export the Public Key

# Export in binary format, then base64 encode
gpg --export [email protected] | base64 -w0

3. Create the DNS Record

29a5d...5c2f._openpgpkey.example.com.    3600    IN    OPENPGPKEY    mQENBF...

Client Support

Email clients and tools that support OPENPGPKEY:

GnuPG — --auto-key-locate dane
Sequoia PGP — Built-in DANE support
Thunderbird — With OpenPGP enabled
Various libraries — DNS-based key lookup

Using with GnuPG

# Enable DANE key lookup
gpg --auto-key-locate dane --locate-keys [email protected]

# Or in gpg.conf
auto-key-locate dane

OPENPGPKEY Best Practices

Use DNSSEC — Essential for key authenticity; unsigned records are untrustworthy.
Minimal key export — Export only the public key, not user IDs or subkeys.
Regular updates — Update records when keys change or expire.
Test thoroughly — Verify records work with common clients.
Consider key size — Very large keys may cause DNS issues.

Security Considerations

DNSSEC required — Without DNSSEC, keys can be spoofed by attackers.
Single point of control — Domain owner controls all keys for their domain.
No revocation distribution — Clients should also check revocation status.
Hash collisions — Truncated hash could theoretically collide (unlikely).

Troubleshooting OPENPGPKEY

Common issues and solutions:

Key not found — Verify hash calculation is correct.
Invalid key format — Ensure binary export, not ASCII-armored.
DNSSEC validation fails — Check zone is properly signed.
Client not using DANE — Enable DANE lookup in client settings.
Record too large — Consider using smaller key or multiple records.

Check Your OPENPGPKEY Records

Use our DNS Record Finder to look up OPENPGPKEY records for any domain.