DKIM

Home Platform DKIM Record Checker

DKIM Record Checker

Use this tool to check, lookup, and validate your DKIM record.

TAGTAG DESCRIPTION
vThe version tag indicates the version of DKIM, and should always be set on 1.
p (required)The public key tag is a string of characters generated during DKIM setup. Leaving the value empty deems it invalid.
tThis tag lists the flags in a colon-separated sequence. There are two defined flags: y and s. Undefined flags must be ignored.
sThis tag lists record-applicable service types. If the appropriate service type misses, the receiving servers must ignore the tag. Same goes with the unrecognized service types.
hThis tag defines the acceptable hash algorithms. In its default state, it allows all. Unrecognized algorithms must be ignored. The sender is responsible for determining each entry in the list.
kThis is the key type tag with a default value of "rsa". It's crucial that both sending and receiving servers support this value.
nThis tag acts like an optional note field for administrators. We recommend that you use this field only if necessary.

Why does DKIM lookup matter?

The tool checks if the DKIM record for a particular selector is published for domain and if it is correct. It also informs whether you need to take action regarding the DKIM record validation result. To run a DKIM check, enter your domain in the Domain section, input your selector name and click on the DKIM Lookup button.

What does DKIM lookup do?

  • Check if the DKIM TXT record is published in DNS for the domain
  • Check the published DKIM TXT record syntax
  • Validate DKIM public key associated with selector

DKIM - How does it work?

The domain owner generates a public/private key pair to be used for signing outgoing messages. Private keys are stored on the email server, while public keys are implemented in the domain's DNS server. Upon sending emails, the server uses the stored private key to generate a digital signature of the message, which will be inserted in the message header. The receiving server, on the other hand, will retrieve the sender's Public Key from DNS to verify that the signature was generated by the matching private key. A match effectively proves that the email was truly sent from, and with the permission of, the claimed domain and that the message headers and content have not been altered during transit.

How to analyze DKIM selector from DMARC Aggregate Reports

DMARC Aggregate reports contain a specific tag with” selector name”, which helps you easily identify your DKIM signature Selector name. We also convert this data into an easy-to-read format where you can identify your DKIM Selector name under the “DKIM Auth. Results” tab of your dashboard.

How to check DKIM record in your DNS

To check your record in your DNS, you need to find a TXT or CNAME type record with the Host / Name similar to [selector]._domainkey.yourdomain.com.

How to analyze DKIM selector from Email Headers

DKIM selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent.

E.g: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=easydmarc.com; h=content-type:from:mime-version:subject:reply-to:x-feedback-id:to: list-unsubscribe; s=s1;

How many DKIM records can I have?

There are no limitations. You can have multiple records, since technically speaking each DKIM record can be associated with a unique selector. In fact, if your domain uses multiple email services to send emails (Marketing, Transactional, etc.), multiple DKIM selectors and private/public key pairs must be used to separate these services.

Investigating DKIM Issues

Use EasyDMARC's DKIM Lookup tool to verify if your DKIM record and Public Key are properly implemented without any syntax or other issues
Analyze DMARC Aggregate Reports that contains all the relevant information of your DKIM Signatures (If they’re passing or failing)
Investigate Email Headers to retrieve DKIM-Signature, and analyze the underlying results
If you’re using third-party ESPs and obtained DKIM Public key from them, make sure you have “Activated” DKIM Signing process from their portal

Is DKIM part of the DMARC protection?

Yes. DKIM is one of the authentication protocols (along with SPF) DMARC relies on to provide a set of instructions to receiving email servers on how to handle unauthenticated mail.

If I have an SPF do I have to implement DKIM?

Absolutely. Both SPF and DKIM play a major role in the email authentication world. In fact, unlike SPF, DKIM tends to survive the Forwarding cases.