Why do I need to escape ; with \ in a DNS DKIM record?

I'm setting up Email Authentication on our domain to allow authentication with our Email Service Provider.

My understanding is that the DNS record needs to have any ; escaped, e.g., \;

I just want to make sure that ALL ; should be escaped. To that end, I want to make sure I understand why the escaping is needed. I.e., if it's b/c ; means something special then how do I know when it should not be escaped, and instead it should have it's special meaning? or is that that is has a special (and different) meaning in DNS TXT records, in general, and that for the special use of a DKIM setting, we do not want it to have that special meaning (and perhaps whoever reads the record will apply the value)

Also, the ESP is telling me that the DNS is "adding \ for some reason" (waiting to confirm whether they just don't understand it.


The choice of what characters are special and require escaping would depend on the nameserver being used as well as what interface is being used to configure the nameserver (for instance if you're using a web-based configuration tool it might automatically escape ; characters for you).

The standard zone file (as defined by RFC 1034/1035) uses the ; character to start a comment. If you did not have a backslash, text from the semicolon to the end of the line would be ignored by the server.

Note that bind does not consider a ; inside of an already quoted string to start a comment and require escaping, but will handle it if you did. Both of these should produce the same response:

IN TXT "asdf;jkl"
IN TXT "asdf\;jkl"

Also note that when you use dig or host, the output printed by those will add a backslash to the semicolon for reasons long forgotten.


A ; is the comment character for a zone file , much like # in most Linux config files. It tells Bind to stop reading from the ; onward until the end of that line.

If you have a need to have the character ; within the contents of a DNS record you can surround the record contents with " " and it will be displayed without any interpretation. TXT and SPF records use this format (taken from the OpenDKIM standard):

_domainkey.DOMAIN.TLD. IN TXT "t=y; o=-;"

SELECTOR._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=YOUR_PUBLIC_KEY_HERE"

In my zone files I do not have \ characters at all. Commented values are preceded by a ;

; HOST Definitions
mail A 1.2.3.4 ; mail server
time A 1.2.3.4 ; ntp server

I'm not sure why you would have a need to include an escaped ; character in your DNS records at all. That would mean that Bind would try to interpret it as a hostname or other value.