DKIM Record Checker
Lookup, your domain’s DKIM record for a particular DKIM selector to identify possible issues and fix them.
Check Your DKIM Record And Fix Possible Issues
Authenticate outbound email with DKIM. EasyDMARC’s DKIM Checker tests and validates if the DKIM record of your domain is implemented correctly. Our DKIM Checker analyzes the header of an email to confirm that it has been signed using the private key of a domain and that the signature is valid.
This helps domain owners take responsibility for a message in transit, confirming that it comes from the given domain and hasn’t been altered.
A DKIM record check discovers the issues in your DKIM record syntax and proves that there’s a public record associated with a given selector. Once you have the lookup results, you’ll be able to take steps toward advancing your email authentication.
Frequently Asked Questions
What Is a DKIM Record?
DKIM record is a DNS syntax in TXT format that contains the selector and the public key used for DKIM email authentication. This record is stored in the DNS server of the domain name used for sending emails.
The selector is a string that identifies the specific private key used to sign the email message, and it is added to the email header along with the signature.
The public key is the key that is used to verify the signature of the email message. Here is an example of a DKIM record in the DNS:
In this example, mailo is the selector prefix, and easydmarc.online is the domain name. The v=DKIM1 tag indicates that this is a DKIM record, k=rsa specifies that RSA encryption is used, and p= includes the public key for the domain.
Upon receiving an incoming email, the recipient server retrieves the DKIM record from the DNS and uses it to verify its authenticity.
What Are DKIM Keys? How Does DKIM Work?
DKIM (DomainKeys Identified Mail) is an email authentication technology that helps verify the authenticity of an email message and prevent email spoofing.
DKIM works by adding a digital signature to the header of an outgoing email message. The signature is created using a private key associated with the sender's domain name. This private key is generated and stored by the mail server or service provider responsible for sending the email.
When the recipient's email server receives the email message, it should use the public key from the sender's DNS record to validate the signature in the email header. If the signature is valid, the recipient can be confident that the email comes from the domain it claims to be from and that the contents of the email have not been tampered with in transit.
To use DKIM, a domain owner must create a public/private key pair, publish the public key in a DNS TXT record under the domain name, and configure their email server to sign outgoing messages using the private key. However, third-party email service providers (ESP) like Google, Microsoft, SendGrid, and others keep the private keys in their own servers without sharing them with the public. In such cases, the user must retrieve the Public Key from their portal or contact the provider's support team to obtain it. The recipient's mail server then queries the DNS to retrieve the public key and validates the signature in the email header to determine if the message is authentic.
Overall, DKIM ensures that your email has not been altered during the sending process. DKIM and SPF (Sender Policy Framework) help your DMARC enforcement and increase your email deliverability, warding off cybercriminals, email fraud, and phishing attacks.
Why Do You Need DKIM, DMARC, And SPF Checks?
DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and SPF (Sender Policy Framework) are all email authentication protocols that help prevent email spoofing and improve email deliverability. Spammers and scammers use email spoofing to send fraudulent emails that appear to come from a legitimate sender. Email authentication protocols help prevent spoofing by allowing email service providers and recipients to verify that message was sent by the domain owner or a legitimate sender authorized by the domain owner.
Implement SPF, DKIM, and DMARC to:
- Improve email deliverability: Email service providers are more likely to deliver your emails to the intended recipient's inbox if they can verify that the email is legitimate.
- Protect against email spoofing and fraud: Email authentication can prevent unauthorized parties from using your domain to send fraudulent or malicious emails.
- Monitor and manage your email reputation: DMARC provides visibility into how your domain is being used for email and allows you to monitor and manage your domain reputation.
Implementing SPF, DKIM, and DMARC is crucial to ensure your domain is protected from email-borne attacks and that your email messages reach the intended recipients' inboxes.
Why Does DKIM Lookup Matter?
DKIM record lookup matters because it gives you information on DKIM issues. Knowing the problems is the first and most crucial step before building your email authentication action plan.
What Does DKIM Lookup Do?
EasyDMARC’s DKIM Checker:
- Checks if the DKIM TXT record is published in DNS for the domain
- Checks the published DKIM TXT record syntax
- Validates DKIM public key associated with selector
It returns warning messages for each problem it finds in your DKIM record.
How To Test DKIMkey?
Here's how to test DKIMkey in 4 steps:
- Check the email headers for the "DKIM-Signature" field, and verify the "d=" tag to ensure the email was signed using your domain's DKIM. Also, use the "Authentication-Results" field to check if the email passed or failed DKIM validation.
- Use EasyDMARC's DKIM checker tool to verify the syntax and configuration of your public key signature. We recommend sticking to one reliable DKIM checker tool to ensure consistency of results.
- Use EasyDMARC's Email Investigate Tool to investigate specific email messages with DKIM issues. The tool provides DKIM pass or failure results that help identify if the DKIM is working. Still, it doesn't provide visibility into specific DKIM signature issues such as signature algorithm, public key, or signature itself.
- Monitor your DMARC Aggregate reports daily to ensure your email authentication protocols, including DKIM, work as expected. Ensure your DKIM keys are correctly configured and published in your DNS records. If you notice any issues with your email authentication setup, take appropriate action to resolve them.
How To Check DKIM via “nslookup” From the Command Line?
You can check the DKIM record for a domain using the nslookup command in the console or command line. Here's how:
- Open the console or command line on your computer.
- Type nslookup -q=txt <selector>._domainkey.<domain> where <selector> is the DKIM selector and <domain> is the domain name.
- Press Enter to execute the command.
- The output will display the DKIM record for the domain, including the public key and other information.
Below is an example of checking the DKIM record for the domain easydmarc.us with the selector google:
nslookup -q=txt google._domainkey.easydmarc.us
Non-authoritative answer:
google._domainkey.easydmarc.us text = "v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtlOQQmjs3Y5diVg6cKpeJNfiWy0V9DXUERY3xvDyOC2DF8X2P+oNsNfuqpF/dffsSMLxyQOe2aj2msqHaX6MoG8ATUfk1pnNhUu8gqphhyMeBOpGRBsDPCPmaLj+SxO42Tbo9jz8yV//zoTVIJlHe3VKe8DrE22kGT2GcdVQdTR2YLtEV8e4UEgT2pPVmRdpZ"
"PXYq/nESCaMi8JTCTaARjTpi2Nxs/G4eV8dSv7RIw0qXz6XDfNyDacJ6uIs1hC84R+tFX0GCMJ+z6heD6PPCZtDhBj/hy1MGwg3z+5izDBEBsgCRsNaVa0XHKb54I1L9f/x502WUN9dmOv41jPlswIDAQAB"
The command will return the DKIM record for google._domainkey.easydmarc.us, which includes the DKIM public key and other information.
How To Check DKIM via the Command Line With the Dig?
To check the DKIM record for a domain using the dig command, follow these steps:
- Open the console or command line on your computer.
- Type dig <selector>._domainkey.<domain> TXT where <selector> is the DKIM selector and <domain> is the domain name.
- Press Enter to execute the command.
- The output will display the DKIM record for the domain, including the public key and other information.
Here's how you can check the DKIM record for the domain easydmarc.us with the selector google:
dig txt google._domainkey.easydmarc.us
; <<>> DiG 9.10.6 <<>> txt google._domainkey.easydmarc.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10094
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google._domainkey.easydmarc.us. IN TXT
;; ANSWER SECTION:
google._domainkey.easydmarc.us. 300 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtlOQQmjs3Y5diVg6cKpeJNfiWy0V9DXUERY3xvDyOC2DF8X2P+oNsNfuqpF/dffsSMLxyQOe2aj2msqHaX6MoG8ATUfk1pnNhUu8gqphhyMeBOpGRBsDPCPmaLj+SxO42Tbo9jz8yV//zoTVIJlHe3VKe8DrE22kGT2GcdVQdTR2YLtEV8e4UEgT2pPVmRdpZ"
"PXYq/nESCaMi8JTCTaARjTpi2Nxs/G4eV8dSv7RIw0qXz6XDfNyDacJ6uIs1hC84R+tFX0GCMJ+z6heD6PPCZtDhBj/hy1MGwg3z+5izDBEBsgCRsNaVa0XHKb54I1L9f/x502WUN9dmOv41jPlswIDAQAB"
The command returns the DKIM record for google._domainkey.easydmarc.us, which includes the DKIM public key and other information in the "ANSWER SECTION"
How to check DKIM record in your DNS?
Here’s what you need to do to check your DKIM record manually:
- Go to your DNS provider and login
- Navigate to the records page and search for a TXT or CNAME type record with the Host / Name similar to the following string: [selector]._domainkey. yourdomain.com
This method gives the same result as inputting your domain and selector in our DKIM record checker tool.
How To Analyze DKIM Selector From DMARC Aggregate Reports?
DMARC Aggregate reports contain a specific tag with ”selector name”, which helps you easily identify your DKIM signature Selector name. We also convert this data into an easy-to-read format where you can identify your DKIM Selector name under your dashboard's “DKIM Auth. Results” tab.
How to analyze DKIM selector from Email Headers?
DKIM selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent. Below is an example of a dkim signature, where s= tag is what you’re searching for:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=easydmarc.com; h=content-type:from:mime-version:subject:reply-to:x-feedback-id:to: list-unsubscribe; s=s1;
How Long Does It Take To Set Up DKIM?
The process of setting up DKIM depends on various factors, such as your level of familiarity with the process, the complexity of your email infrastructure, and the policies and procedures of your email service provider or hosting company.
The process of setting up DKIM involves the following:
- Generating a public and private key pair
- Publishing the public key as a DNS record
- Configuring your email server or service to sign outgoing messages with the private key
If you are using a third-party email service provider, such as Google Workspace or Microsoft 365, the DKIM setup process is usually straightforward and only takes a few minutes. Simply follow the provider's instructions.
If you're managing your own email infrastructure, DKIM setup may require more time and technical expertise. You need to generate the keys, publish the DNS record, and configure your mail server to use DKIM, which can take anywhere from a few hours to a few days, depending on your experience and the setup complexity.
It's worth noting that the time it takes to set up DKIM is only part of the process. After you've set up DKIM, you'll need to monitor its performance and make adjustments to ensure the optimal deliverability of your email messages.
What Are Some Common DKIM Issues?
- DNS configuration errors: DKIM requires the correct setup of specific DNS TXT records, including the DKIM public key and policy records. Any errors in the DNS configuration can cause DKIM to fail, for example, missing or incorrect records or syntax errors.
- Key length: The DKIM key length must be at least 1024 bits, but some email providers require longer keys. Using a key that is too short can result in DKIM failures.
- Mismatched domain names: DKIM requires that the domain name used in the DKIM signature matches the domain name used in the email's From address. If there is a mismatch, DKIM will fail. This process is also known as DKIM alignment, an essential factor for DMARC compliance.
- Incorrect signing algorithm: DKIM allows for several signing algorithms, but not all email providers support all of them. Using an unsupported algorithm can cause DKIM to fail.
- Message body changes: DKIM signs the email message headers and the body. Still, if you change the message body after it has been signed, the DKIM signature will become invalid. This can happen if the email passes through a gateway or is modified by a content filter. In this case, the DKIM signature will fail verification when received by the recipient's email server.
How many DKIM records can I have?
As many as you want. The only limitation is how many DKIM records your DNS provider can handle.
Technically, each DKIM record can be associated with a unique selector, and it’s imperative to use multiple selectors for each email sending service.
How To Investigate DKIM Issues?
There are several ways to investigate DKIM issues:
- Use EasyDMARC's DKIM Lookup tool to verify if your DKIM record and public key are properly implemented.
- You can also use DMARC reports to gather more information about DKIM passes and failures. EasyDMARC’s Aggregate Report Analyzer tool can be super helpful in this process.
- Investigate Email Headers to retrieve DKIM-Signature, and analyze the underlying results.
If you’re using third-party ESPs and obtained the DKIM Public key from them, ensure you’ve made the necessary configurations in their portal.
Is DKIM Part of the DMARC Protection?
Yes. DKIM is one of the two authentication protocols (SPF is the other one) that DMARC relies on. At least one of them should pass for a successful DMARC check.
If I Have an SPF, Do I Have To Implement DKIM?
Absolutely. Both SPF and DKIM play a major role in email authentication. In fact, unlike SPF, DKIM tends to survive email forwarding cases, so it’s of utmost importance to set it up.