{{ error }}
{{ record }}
TagValue
{{ key }} {{ val }}
DKIM Checks
{{ c.label }}
Categories: DNS , Email , Networking , Security
Export to PDF Fullscreen

DomainKeys Identified Mail (DKIM) attaches a domain-signed header to every outbound message, allowing receiving servers to confirm that the message was authorised and that its contents remained unaltered in transit. The public component of the signing key is published as a TXT record in DNS.

This tool accepts a domain and optional selector, queries the corresponding TXT record through a DNS-over-HTTPS request, then parses its semicolon-delimited tag list. It measures RSA key length, checks mandatory tags, and returns pass-fail summaries you can act on immediately.

Use it when configuring or auditing email authentication to uncover expired, test-only, or weak cryptographic keys before they damage deliverability. Avoid publishing private test selectors on production domains.

Technical Details:

Concept Overview

DKIM embeds a cryptographic signature inside each message header, binding it to the sending domain. Verifiers reconstruct the signed values, retrieve the public key from DNS, and validate that the signature was generated by the matching private key. Key size, tag completeness, and advisory flags govern overall trust.

Core Process

  1. Build the FQDN = <selector>._domainkey.<domain>.
  2. Request a TXT record via DNS-over-HTTPS.
  3. Concatenate quoted strings and split on “;”.
  4. Map k, p, v, t tags to values.
  5. Estimate RSA key size with bits= len(p)×3 4 ×8
  6. Generate pass-fail checks for each security criterion.

Interpretation

BitsAssessment
< 1024Weak – reject
1024 – 2047Baseline – acceptable
≥ 2048Recommended

Receiving systems often downgrade messages signed with keys under 1024 bits; 2048 bits or greater aligns with current best practice.

Variables & Parameters

  • domain – base domain queried.
  • selector – hostname prefix identifying a key family.
  • v – record version; must equal “DKIM1”.
  • p – Base64-encoded RSA public key.
  • t – flag list; y indicates testing-only mode.

Worked Example

Input : example.com, selector : default

len(p)=344 344×34=258 258×8=2064

Key length : 2048 bits (rounded) → passes recommended threshold.

Assumptions & Limitations

  • Supports RSA keys only.
  • Evaluates the first TXT record returned.
  • Ignores DNSSEC status.
  • Does not verify live message signatures.

Edge Cases & Error Sources

  • Selector spelled incorrectly.
  • Multiple TXT records with split keys.
  • Experimental ed25519 key types.
  • DNS resolver time-outs.

Scientific Validity & References

RFC 6376 formally defines DKIM; numerous M3AAWG and NIST publications discuss recommended key lengths and operational pitfalls.

Privacy & Compliance

No user-supplied data is stored; all look-ups occur client-side via public DNS.

Step-by-Step Guide:

Follow these steps to validate any DKIM record.

  1. Enter the target domain in the Domain field.
  2. (Optional) Provide a custom Selector; leave blank for “default”.
  3. Press Validate.
  4. Review the raw record and tag table.
  5. Resolve any failed checks before deploying new signatures.

FAQ:

Is my data stored?

No; the tool performs DNS queries only and keeps nothing server-side.

What if my record is split?

Concatenate the quoted parts into one line before pasting into DNS to avoid parse errors.

Why does the key length matter?

Keys shorter than 1024 bits are vulnerable to brute-force attacks and may be rejected by major mailbox providers.

Do I need multiple selectors?

Yes, rotating selectors lets you replace keys without mail disruption and simplifies incident response.

What does t=y mean?

The record is in testing mode; remove the flag when you are ready to enforce authentication in production.

Glossary:

DKIM
Domain-based message authentication using cryptographic signatures.
Selector
Label that identifies a specific public key record.
TXT Record
DNS resource type that holds arbitrary text data.
RSA
Widely used public-key cryptosystem.
Base64
Encoding scheme converting binary data into ASCII characters.
Embed this tool into your website using the following code: