A dkim key checker validates your DomainKeys Identified Mail (DKIM) DNS records. It confirms the public key published in your DNS matches the expected format and content. Use a dkim key checker to verify correct DKIM setup, troubleshoot email delivery issues, or validate third-party sender configurations. This ensures outgoing emails authenticate correctly, preventing spoofing and improving deliverability.
DKIM Key Checker Usage
Verifying your DKIM record involves querying your domain's DNS for a specific TXT record. This record contains the public key used to verify email signatures. You need the DKIM selector and your domain name to perform this check. The selector is typically a string like `s1` or `default`, chosen during your mail service configuration.
Step-by-step usage with `dig`
Open your terminal or command prompt. The `dig` command is a standard tool on Linux and macOS. For Windows, `nslookup` provides similar functionality.
First, identify your DKIM selector. Your email service provider (ESP) or mail server documentation specifies this. For `example.com` with selector `s1`, the full record name is `s1._domainkey.example.com`.
Execute the `dig` command to query the TXT record:
dig TXT s1._domainkey.example.com +short
Replace `s1` and `example.com` with your actual selector and domain. The `+short` option provides a concise output, showing only the record data.
A successful output looks similar to this:
This output contains the DKIM version (`v=DKIM1`), key type (`k=rsa`), and the public key itself (`p=...`). The `p=` value is a Base64-encoded string representing your public key. Its presence and correct format confirm your DKIM record is published.
If you suspect DNS caching issues, query a specific public DNS resolver:
dig @8.8.8.8 TXT s1._domainkey.example.com +short
This queries Google's public DNS server directly, bypassing your local DNS cache.
Step-by-step usage with `nslookup` (Windows)
On Windows, use `nslookup` from the Command Prompt.
nslookup -type=TXT s1._domainkey.example.com
The output will be more verbose than `dig +short`:
Non-authoritative answer:
s1._domainkey.example.com text = "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2gM4J7Q6W5K9Z..."
Look for the line starting with `text =` to find your DKIM record content.
Using Secably's DNS Lookup Tool
Secably provides a convenient DNS lookup tool for quick checks without command-line access.
Navigate to the DNS lookup tool page. Enter the full DKIM record name (e.g., `s1._domainkey.example.com`) into the "Domain Name" field. Select "TXT" as the record type. Click "Lookup DNS".
The tool displays the retrieved TXT record, including the DKIM public key. This simplifies the process for users less familiar with command-line interfaces. It offers a clear, immediate confirmation of your DKIM record's existence and content.
Common Use Cases for a DKIM Key Checker
A dkim key checker is vital for various scenarios, from initial setup to ongoing maintenance and security audits.
New DKIM Deployment Verification
After configuring DKIM for a new domain or email service, immediately use a dkim key checker. This confirms the DNS record propagates correctly. A misconfigured public key prevents email authentication. Early verification prevents email delivery issues and ensures proper sender reputation from the start.
Email Delivery Troubleshooting
When users report emails landing in spam folders or receiving bounce messages related to DKIM, check the DNS record. An incorrect, missing, or malformed public key causes DKIM authentication failures. Using a dkim key checker helps quickly diagnose if the issue lies with your DNS configuration. This isolates the problem from other factors like SPF or DMARC.
Third-Party Sender Verification
Many organizations use third-party services like marketing platforms or CRM systems to send emails on their behalf. These services often require you to add their DKIM records to your domain's DNS. A dkim key checker confirms these external records are correctly published under your domain. This ensures emails sent by these services are authenticated as originating from your domain.
Security Audits and Compliance
Regularly auditing your DKIM records is a critical security practice. Use a dkim key checker as part of your routine security checks. Verify all active sending domains have valid DKIM records published. This maintains a strong email authentication posture and helps meet compliance requirements for secure email communication. Missing or expired DKIM records pose a security risk.
DKIM Key Rotation
Security best practices recommend periodic rotation of DKIM keys. When you generate a new DKIM key and update your DNS, use a dkim key checker. Confirm the old key is removed and the new public key is live and accessible. This ensures a smooth transition during key updates, preventing any disruption to email authentication and maintaining security.
Troubleshooting Common Issues
You may encounter several issues when using a dkim key checker. Understanding these helps resolve them quickly.
Record Not Found (NXDOMAIN or No TXT record)
If your `dig` or `nslookup` command returns `NXDOMAIN` or no TXT record, the DKIM record is not publicly accessible.
Check for typos: Re-verify the selector and domain name. A single character error prevents discovery.
DNS propagation: DNS changes take time to propagate across the internet. This can range from minutes to several hours, depending on your DNS provider and TTL settings. Wait a bit and try again.
Incorrect record type: Ensure you published a TXT record, not a CNAME or A record.
DNS provider interface: Double-check your DNS provider's control panel. Confirm the record is saved and enabled.
Missing record: The record might not have been added at all.
Incorrect Key Data (Malformed `p=` value)
The `p=` tag in your DKIM record contains the public key. If this value is incorrect, truncated, or malformed, DKIM authentication fails.
Copy-paste errors: Public keys are long Base64 strings. Common issues include missing characters, extra spaces, or line breaks introduced during copying.
Missing `p=` prefix: Ensure the public key value starts with `p=`.
Invalid Base64: The string after `p=` must be a valid Base64 encoding. Any corruption renders the key unusable.
Compare with source: Get the public key directly from your mail server or ESP. Compare it character by character with the published DNS record. Some DNS providers might split long TXT records into multiple strings; ensure they concatenate correctly.
Multiple DKIM Records for the Same Selector
While DNS allows multiple TXT records for a single host, having more than one DKIM public key for the same selector and domain often causes issues.
Conflict: Mail servers might get confused if multiple public keys exist for the same selector.
Consolidate or remove: Ensure only one DKIM public key record exists for a specific selector. Remove any duplicates or outdated records. Each selector should map to a unique public key.
Missing `v=DKIM1` Tag
The `v=DKIM1` tag is mandatory. It specifies the DKIM version. If this tag is missing or incorrect, the record is invalid.
Record start: Ensure your DKIM TXT record begins with `v=DKIM1;`.
DNS interface quirks: Some DNS providers have specific formatting requirements for TXT records. Verify no characters are stripped or modified.
Key Length Mismatch or Weak Key
While a basic dkim key checker just confirms the record, it doesn't directly validate key strength. However, you can infer issues.
Inspect `p=` value: A very short `p=` value might indicate an invalid or severely truncated key.
Security best practice: Aim for 2048-bit RSA keys. Older 1024-bit keys are less secure. If your ESP generates 1024-bit keys, consider asking for 2048-bit options or using a different service if security is a high priority.
Pro Tips for Advanced Usage
Beyond basic checks, advanced techniques and knowledge improve your DKIM management.
Automated DKIM Checks
Manually checking DKIM records for multiple domains or selectors is inefficient. Automate this process using scripting.
A simple `bash` script can iterate through a list of domains and selectors:
#!/bin/bash
DOMAINS=("example.com" "anothersite.org")
SELECTORS=("s1" "default")
for domain in "${DOMAINS[@]}"; do
for selector in "${SELECTORS[@]}"; do
FULL_RECORD="${selector}._domainkey.${domain}"
echo "Checking DKIM for: ${FULL_RECORD}"
RESULT=$(dig TXT "${FULL_RECORD}" +short)
if [[ -z "$RESULT" ]]; then
echo " [ERROR] No DKIM record found for ${FULL_RECORD}"
else
if [[ "$RESULT" == "v=DKIM1; k=rsa; p=" ]]; then
echo " [OK] DKIM record found."
else
echo " [WARNING] Malformed DKIM record for ${FULL_RECORD}: ${RESULT}"
fi
fi
echo ""
done
done
This script provides basic validation. Integrate such scripts with your monitoring systems. This alerts you to missing or changed DKIM records. Continuous monitoring of external assets, including DNS records, is a core component of external attack surface management (EASM). Tools like Secably help organizations maintain oversight of their attack surface, including proper DNS configurations.
Understanding DKIM Record Tags
A DKIM TXT record contains several tags, each with a specific purpose:
v=DKIM1: This is the DKIM version tag. It must always be `DKIM1`.
k=rsa: The key type. RSA is the most common algorithm.
p=...: The public key data. This Base64-encoded string is the cryptographic key. It's the most critical part of the record.
s=email: The service type. This optional tag indicates the service that uses the DKIM key (e.g., `email`).
t=y: Test mode. If present, it indicates the DKIM record is in test mode. Receivers should treat authentication failures less strictly. Remove this tag for production.
h=sha256: The hash algorithm used for signing. `sha256` is standard.
g=: Granularity. This optional tag specifies the local-part of the email address that is signed. `*` means any local-part.
n=notes: An optional field for administrative notes.
DKIM and DMARC Alignment
DKIM is a foundational component of DMARC. DMARC requires DKIM alignment, meaning the domain in the `From` header of an email must match the domain signed by DKIM.
A dkim key checker ensures your DKIM record is valid. This is a prerequisite for DMARC to pass for your emails. Without a valid DKIM record, DMARC will fail DKIM authentication. This can lead to emails being rejected or quarantined based on your DMARC policy. Understanding this interplay is essential for a robust email authentication strategy. For broader security context, review articles like Unpacking CVE-2026-48215: Pre- for insights into pre-authentication vulnerabilities that highlight the need for strong foundational security.
Key Length Best Practices
DKIM keys come in different lengths, typically 1024-bit or 2048-bit RSA.
1024-bit keys: These are still common but offer less cryptographic strength. They are faster to process but more susceptible to brute-force attacks over time.
2048-bit keys: These provide significantly stronger security. Most modern mail systems support them. Always choose 2048-bit keys when possible for enhanced protection and future-proofing.
Your dkim key checker will not directly tell you the key length, but inspecting the `p=` value length can give an indication. Longer `p=` values generally correspond to longer keys.
Observing DNS Caching and TTL
DNS records have a Time-To-Live (TTL) value. This dictates how long DNS resolvers should cache the record.
Lower TTLs (e.g., 300 seconds): Useful during changes or troubleshooting. They ensure updates propagate faster.
Higher TTLs (e.g., 3600 seconds): Reduce the load on DNS servers but mean changes take longer to reflect globally.
When you modify a DKIM record, be mindful of the TTL. Changes might not appear instantly due to caching. Using `dig @8.8.8.8` (or other public DNS resolvers) helps bypass local cache for an immediate view of globally propagated changes.
