DKIM Checker and Validator

Field	Value	Copy
FQDN	{{ fqdn }}
Version (v)	{{ tags.v \|\| '—' }}
Key Type (k)	{{ keyType }}
Key Bits (p)	{{ keyBits }}
Hash Algos (h)	{{ tags.h \|\| '—' }}
Service Type (s)	{{ tags.s \|\| '—' }}
Flags (t)	{{ tags.t \|\| '—' }}
TTL	{{ ttl }}
Lookup Time	{{ time }} ms
DNSSEC AD	{{ dnssecAD ? 'Yes' : 'No' }}
DNS Status	{{ dnsStatusText }}
Resolver Used	{{ resolverUsed \|\| resolver }}
CNAME Target	{{ alias \|\| '—' }}
Raw Record	{{ record }}

Tag	Value	Copy
{{ key }}	{{ val }}

DKIM Checks	Status
{{ c.label }}

DomainKeys Identified Mail public keys are published as simple text records that live under a selector name for a domain. They signal which signing method is used and expose the public part needed to verify mail that claims to be from that domain.

Administrators use these records to confirm that email authentication is set up as intended and strong enough for present needs. Enter a domain and selector, then read the tags and the quick pass or fail checks to understand what is configured and whether it looks sound.

The lookup builds the full name from your selector and domain, follows a visible alias when present, and collects a single concatenated text value. A clear table reports the version, the declared key type, an estimated bit length, allowed services, hash algorithms, flags, caching time, and resolver status so you can act with confidence.

For example, a marketing domain might use the selector “default” and publish a strong key for all email. If a test flag is left on by mistake, the checks will call that out so you can tidy up before campaigns go live.

Results reflect the published record only, not the behavior of remote mail servers. If you are rotating keys, expect short periods where answers vary by resolver until caches settle.

Technical Details:

The subject is a DomainKeys Identified Mail (DKIM) DNS publication, observed as a text record at a fully qualified name formed from a selector and a domain. The tool measures the presence and content of DKIM tags, the resolver’s code and authenticated‑data flag, the record’s time to live, and a rough key size derived from the public key string.

Computation begins by following a canonical name target when present and then concatenating all text fragments at the target into one record string. The record is parsed into a map of key–value pairs using semicolons as separators. From the public key tag, an estimated key length in bits is computed from the Base64 length.

Results are summarized as simple checks. A correct version string indicates a DKIM key record, a present public key indicates a usable key, a service tag that includes email or all indicates a match for mail, a hash list that includes SHA‑256 indicates modern signing, and a clear flag shows that test mode is not left on. For RSA keys, 1024 bits is the minimum and 2048 bits is the recommended level; Ed25519 keys are fixed at 256 bits by design.

Comparability depends on resolver choice and cache state. The authenticated‑data indicator reflects the upstream resolver’s validation, not a full chain you control. Expect caching to influence the time to live you see across different networks.

\begin{array}{lcl} bits & = & 8 \cdot ⌊ \frac{L \cdot 3}{4} ⌋ \end{array}

Symbols and units
Symbol	Meaning	Unit/Datatype	Source
`L`	Length of Base64 public key string	characters	Derived from `p`
`bits`	Estimated key size	bits	Computed
`TTL`	Resolver caching time	seconds	DNS answer or authority
`AD`	Authenticated‑data flag from resolver	boolean	DNS response

Worked example

Selector default and domain example.com produce the name default._domainkey.example.com. The record parses to v=DKIM1; k=rsa; p=<base64>.

If p is 344 characters long:

\begin{array}{lclcl} bits & = & 8 \cdot ⌊ \frac{344 \cdot 3}{4} ⌋ & = & 2064 \end{array}

Interpretation: 2064 bits meets the recommended RSA threshold and all checks should pass for version, key presence, and modern hash support when tags agree.

Interpretation thresholds
Threshold band	Lower	Upper	Interpretation	Action cue
RSA minimum	1024	2047	Usable but below current best practice	Plan a rotation to 2048 bits
RSA recommended	2048	—	Meets common policy expectations	Keep and monitor expiry
Ed25519 fixed	256	256	Curve key at expected size	Verify receiving side support

Build the name as <selector>._domainkey.<domain>.
Query CNAME and record the target when present.
Query TXT at the target or original name.
Concatenate all text fragments into one value.
Parse semicolon‑separated tags into a map.
Estimate key bits from the Base64 length.
Evaluate version, key presence, service, hashes, flags, and size thresholds.

Validation rules and bounds
Field	Type	Min	Max	Step/Pattern	Error text	Placeholder
Domain	string	1	—	trimmed	Domain is required	example.com
Selector	string	0	—	trimmed	—	default
Resolver	enum	—	—	auto, cloudflare, google, quad9, opendns	Lookup failed · No DKIM record found	Auto (try several)

Constants and defaults
Constant	Value	Unit	Source	Notes
DoH endpoints	cloudflare‑dns.com/dns‑query; dns.google/resolve; dns.quad9.net:5053/dns‑query; doh.opendns.com/dns‑query	URIs	Built‑in	Accept header `application/dns-json`
Auto resolver order	Cloudflare → Google → Quad9 → OpenDNS	sequence	Built‑in	Stops on first usable answer
Auto‑validate debounce	200	ms	Built‑in	Applies when the toggle is on

Units, precision, and rounding: Key bits are integers from the Base64 length using floor, time is rounded to whole milliseconds, and the decimal separator is a period. Time to live values are reported in seconds as returned by the resolver.

I/O formats and encoding: Inputs are plain strings for domain and selector. The output includes a tag map, an estimated key length, check results, and resolver metadata. DNS lookups request and parse application/dns-json responses, with a content parameter set for endpoints that require it.

Networking and storage behavior: Queries are issued from the browser to the chosen DNS‑over‑HTTPS endpoint. There is no server component, and no data is kept beyond the current page session.

Performance and complexity: At most two queries per resolver are attempted, so the worst case is eight network calls in auto mode. Response time reflects resolver latency and cache state.

Diagnostics and determinism: Identical published records yield identical tags and check outcomes. Timings and time to live can vary by resolver. The pass counter summarizes overall health at a glance.

Security considerations: Inputs are trimmed and used only to form DNS names. Returned text is displayed and copied as plain values. Do not paste secrets into fields. Use dedicated test records when experimenting.

Assumptions and limitations:

Key size is estimated from Base64 length, not from parsed modulus bytes.
Only one visible alias hop is followed per lookup.
Record validity is inferred from tags, not from live message signatures.
Service tag interpretation is a simple string match for email or all.
Hash list is checked only for the presence of SHA‑256.
Test flag is treated as production‑unsafe when set.
Heads‑up TTL may reflect authority hints when answer records are absent.
DNSSEC authenticated‑data reflects the resolver, not an end‑to‑end chain you control.
Only the listed resolvers are used; no system resolver fallback exists.
Multiple records or split keys are concatenated without per‑part validation.

Edge cases and error sources:

NXDOMAIN, SERVFAIL, or REFUSED response codes prevent record discovery.
Empty p= indicates revocation and will fail key‑present checks.
Non‑Base64 characters in p= are stripped before size estimation.
Quoted TXT chunks with stray quotes can alter concatenation.
Unusual whitespace between tags may yield empty keys on parse.
Multiple DKIM records at one name are not merged intelligently.
Alias loops or deep chains are not detected beyond the first hop.
Resolver‑specific caching can produce different TTLs moment to moment.
Slow resolvers increase measured lookup time and can trigger retries.
Transient network errors appear as a generic lookup failure message.

Scientific and standards backing: Behavior follows the DomainKeys Identified Mail specification, common DNS resource record conventions, and widely implemented DNS‑over‑HTTPS response formats.

Privacy and compliance: Operation is browser‑based. Queries are sent to the selected public resolver and are not stored server‑side. Treat internal hostnames as sensitive configuration data.

How to Use:

DKIM record inspection shows what a domain publishes and whether basic checks pass.

Enter the Domain you want to inspect.
Enter the Selector, or keep the default if unknown.
Pick a resolver or keep Auto for fallback behavior.
Run validation and wait for the status summary to appear.
Review tags, key size, and flags, then act on any failed checks.

Example: example.com with selector default should return a version of DKIM1 and a non‑empty public key.

If results vary, try another resolver to confirm cache differences.

FAQ:

Is my data stored?

No. Lookups are sent directly to the selected resolver and not kept on a server.

Query names may appear in resolver logs per their policies.

How accurate is the key size?

It is an estimate from the Base64 length of the public key. For RSA it closely matches the modulus size, and Ed25519 is always 256 bits.

Padding and encoding can shift the count by a few bits in rare cases.

Which tags are parsed?

Version, key type, public key, hash algorithms, service, and flags. Unknown tags are preserved for inspection.

Why does the status say no record?

The name might not exist, the resolver may be returning a failure code, or the record is split across names that are not reachable.

Can this check message signatures?

No. It inspects the published DNS record only. Signature validation happens on receiving mail servers.

Does it work offline?

No. It needs network access to reach the selected resolver.

Is there a cost or license?

Use is unrestricted here. Check the project’s license terms if you plan to embed or modify it.

How do I validate a CSR?

This page is for DKIM DNS records. Use a certificate request viewer for CSR inspection.

Troubleshooting:

Confirm the selector name with your email platform documentation.
Try a different resolver to bypass cache or regional issues.
Remove any trailing dot from the domain field.
Look for a CNAME that points to a hosted mail provider.
Check that the record is a TXT at the DKIM name, not at the root.
Wait for caches to expire if you made recent changes.

If every resolver returns a failure code, the domain or selector is likely wrong, or the record has not been published.

Advanced Tips:

Tip Keep a standard selector naming scheme across brands for easier audits.

Tip Rotate RSA keys on a regular cadence and retire any 1024‑bit keys.

Tip Use a short time to live during rollout, then raise it after validation.

Tip Prefer separate selectors for automated and human‑sent mail streams.

Tip Keep a change log of selector updates for incident reviews.

Tip Test from different networks to spot resolver‑specific anomalies.

Glossary:

Selector: Left label used to locate a domain’s key record.
TXT record: DNS text data that carries DKIM tags and values.
CNAME: Alias that points one name to another name.
TTL: Time a resolver may cache an answer.
Authenticated‑data: Resolver flag indicating validated DNSSEC.
RCODE: Numeric DNS response code such as NOERROR or NXDOMAIN.
RSA: Public‑key system with variable modulus size.
Ed25519: Curve‑based key with fixed 256‑bit size.
Service tag: Scope of use, often set to email or all.
Test flag: Indicator that a key is published for testing only.