DKIM
DKIM Record Checker
Use this tool to check, lookup, and validate your DKIM record.
The tags and their definitions
| TAG | TAG DESCRIPTION |
|---|---|
| v | The version tag indicates the version of DKIM, and should always be set on 1. |
| p (required) | The public key tag is a string of characters generated during DKIM setup. Leaving the value empty deems it invalid. |
| t | This tag lists the flags in a colon-separated sequence. There are two defined flags: y and s. Undefined flags must be ignored. |
| s | This tag lists record-applicable service types. If the appropriate service type misses, the receiving servers must ignore the tag. Same goes with the unrecognized service types. |
| h | This tag defines the acceptable hash algorithms. In its default state, it allows all. Unrecognized algorithms must be ignored. The sender is responsible for determining each entry in the list. |
| k | This is the key type tag with a default value of "rsa". It's crucial that both sending and receiving servers support this value. |
| n | This tag acts like an optional note field for administrators. We recommend that you use this field only if necessary. |
Why does DKIM lookup matter?
The tool checks if the DKIM record for a particular selector is published for domain and if it is correct. It also informs whether you need to take action regarding the DKIM record validation result. To run a DKIM check, enter your domain in the Domain section, input your selector name and click on the DKIM Lookup button.
What does DKIM lookup do?
- Check if the DKIM TXT record is published in DNS for the domain
- Check the published DKIM TXT record syntax
- Validate DKIM public key associated with selector
DKIM - How does it work?
The domain owner generates a public/private key pair to be used for signing outgoing messages. Private keys are stored on the email server, while public keys are implemented in the domain's DNS server. Upon sending emails, the server uses the stored private key to generate a digital signature of the message, which will be inserted in the message header. The receiving server, on the other hand, will retrieve the sender's Public Key from DNS to verify that the signature was generated by the matching private key. A match effectively proves that the email was truly sent from, and with the permission of, the claimed domain and that the message headers and content have not been altered during transit.
How to analyze DKIM selector from DMARC Aggregate Reports
DMARC Aggregate reports contain a specific tag with
How to check DKIM record in your DNS
To check your record in your DNS, you need to find a TXT or CNAME type record with the Host / Name similar to [selector]._domainkey.yourdomain.com.
How to analyze DKIM selector from Email Headers
DKIM selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent.
E.g: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=easydmarc.com; h=content-type:from:mime-version:subject:reply-to:x-feedback-id:to: list-unsubscribe; s=s1;
How many DKIM records can I have?
There are no limitations. You can have multiple records, since technically speaking each DKIM record can be associated with a unique selector. In fact, if your domain uses multiple email services to send emails (Marketing, Transactional, etc.), multiple DKIM selectors and private/public key pairs must be used to separate these services.
Investigating DKIM Issues
Is DKIM part of the DMARC protection?
Yes. DKIM is one of the authentication protocols (along with SPF) DMARC relies on to provide a set of instructions to receiving email servers on how to handle unauthenticated mail.
If I have an SPF do I have to implement DKIM?
Absolutely. Both SPF and DKIM play a major role in the email authentication world. In fact, unlike SPF, DKIM tends to survive the Forwarding cases.