A magnifying glass on a desk with sheets of paper containing cryptic symbols

DKIM Key Checker

Use this tool to lookup and verify a DKIM DNS TXT record and determine its public key length to detect the use of weak cryptographic DKIM keys (less than 1024 bits).


DKIM
Some domains, like Twitter and eBay, use “dkim”. Google Workspace domains typically use “google”. Others simply use “default“. Enter yours below.selectors
enable a single domain to have multiple keys. Do not include “_domainkey” — this tool will add it automatically when making the DKIM check DNS lookup.
Base domain name. (e.g. example.com)

  
Keys less than 1024 bits are considered at risk.


    

If you make a purchase using these affiliate links I may earn a small commission which helps support this blog and the free tools I provide. You do not pay a higher price.

DMARCLY company logo

Protect Your Email With DMARCLY

Block phishing, business email compromise, ransomware, spam, and improve email deliverability with a comprehensive SPF, DKIM and DMARC monitoring solution.

ActiveCampaign company logo

Grow your business with ActiveCampaign

Email marketing, marketing automation, and CRM tools to create incredible customer experiences. Supports SPF, DKIM, and DMARC authentication.


DigitalOcean provides cloud products for every stage of your journey. Get started with $200 in free credit!

About This Tool

This DKIM test tool has been used over 2 million times since it was launched, helping domain administrators improve their email authentication, and globally reduce sender address forgery (spoofing), which is often used in spam emails and phishing attacks.

If you are curious, you can read more about why I originally wrote this DKIM tester.

Please let me know if you find a valid DNS record that doesn’t parse properly for some reason and I’ll take a look and update my code as needed.

What Is It Doing?

At a high level, the code for this DKIM validator does the following:

  • Using the Selector and Domain you provide, the DKIM record check first queries your DKIM DNS TXT record.
  • The DNS results are parsed to extract the DKIM tags of interest from the record, as defined by RFC 6376.
  • Finally, it processes the extracted public key found in the v= tag using OpenSSL to determine the key size. If the length is less than 1024 bits you’ll receive a warning of that fact in the UI response so you’ll know to regenerate and update your keys.

I maintain this free DKIM checker as a public service for sysadmins, security and ops folks to help us improve email security and reduce spam. I hope you find it useful!

Privacy Notice — I log only basic usage information: date, DNS query/response, and calculated public key length. I record these only for the purposes of detecting abuse of the tool or my systems, and to debug any issues with my code to improve it. I don’t, and won’t collect, correlate, retain, share or sell any Personally Identifiable Information (PII) from this tool.

142 thoughts on “DKIM Key Checker”

  1. Pingback: Outbound Solution
  2. Hi, thanks for the tool. Just found out that many similar tools out there are unable to handle long keys…yours works perfectly.

  3. Great tool. If you could please add support for some of the newer TLDs, .properties in particular, that would be swell.

  4. Thanks for the tool! Just a remark:
    Base64 encoded data usually wrap lines after 64 chars. The public key your tool did reconstruct wrapped after 78.

    1. @Evil_Wolf: Can you share a couple example domains and selectors to test so I can work on adding support? Thanks!

  5. Great tool. Just entered a record DKIM record with more than 255 chars and lookup result looked rather funny. I was expecting BIND to concatenate the multiple parts into one! Checked here with success. Then find out that it is the application using this record which is suppose to concatenate the parts.

  6. Hmmm, worked that time, after I updated my DNS to remove the domain. I just put it back, we’ll see how your tool does tomorrow.

  7. Hi Dave

    Thank you so much for providing this tool. I was able to check my Key Strength which was 1024 and upgraded it to 2018 at Google Apps.

    This has helped me a lot to implement DMARC and see how Spammers are trying to use my domains for their hideous activities.

    Regards
    Varun

    1. It should be working, what selector/domain are you testing?

      Mine has a 2048 bit key, for an example:

      selector: google
      domain: protodave.com

  8. Sorry, noob question here – how does the receiving server know what selector to use / ask the sending server for?

    Is that in the header of the email? you talk about how different websites use different phrases : )

    thanks!!

  9. Hi! There are many tools to verify DKIM TXT records.
    But I did not find any tool to verify the DKIM Data of an Email already sent. I mean copy&paste the raw mail code to check mail text and metadata. Why is it so hard to find a tool for that? Cause this is what dkim is for.

  10. Your tool missed an error in what a client published. They included escape characters (v=DKIM1\;) and your took gave them “success” as a result. Using MXTOOLBOX it pointed out their error.

    May want to look into that – they used your site to erroneously believe they’d published correctly.

    Thanks!

  11. Just wondering if I copy the contents of the result “—-begin certificate — ” and save it as a .pem file, will the regular cert reading tools be able to decipher it as a certificate?

  12. Is the code for this available anywhere? Just curious how you parse the record and feed it into openssl.

    1. Hi Dan! I haven’t published the code but it’s just a quick little PHP script with a flow that looks like this…

      • dig to grab the DKIM DNS record, since PHP’s dns_get_record() doesn’t properly handle returning TXT records for long DKIM entries.
      • Regex to extract the tags of interest from the record, per RFC 6376 : https://tools.ietf.org/html/rfc6376#section-3.6.1
      • Process the extracted public key via PHP’s OpenSSL library: openssl_get_publickey -> openssl_pkey_get_details

      If you want more specifics about any of that, drop me a note via the Contact page and I’ll email you further details.

  13. I get a fail on my test but a pass for other online checking pages – from reading I suspect it has to do with the FQDN appended to the selector eg my selector is:

    phr1._domainkey

    and it seems to fail on some sites inlcuding this one but pass on others – are you able to check if the un-appended FQDN is the problem?

    Thanks,
    Phil.

    1. Hi Phil! Yes, just use your DKIM selector, phr1, in the “Selector” input box. Do not include the _domainkey subdomain.

      Using that, along with your Domain pricom.com.au works for me. Let me know if that helps.

  14. Hi
    I’ve setup a 2048 key for MailPlus on my synology NAS and split the key across 2 TXT records in the DNS but the checker only reports it as a 1024 key. Does it not handle split keys?

    1. Hi Julian! It should handle split keys. What’s your DNS TXT record (selector/domain) and I can take a look.

  15. For some reason this tool is not able to find the dkim entry on any of my websites. All have dkim as selector in a TXT record:
    3dworldz.com, sovariaestates.world, gospellearningcenter.com, localfood4u.com.

    1. Hi Bob!

      I do see your DKIM TXT record on dkim.3dworldz.com

      ❯ dig -t TXT dkim.3dworldz.com
      ;; ANSWER SECTION:
      dkim.3dworldz.com. 60 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu85+PZRVgrTN2VMyINKIA8EbiFMBn0aDyUYzdfL7kl7hZJnOV0BvyR9I1xwRN/EmDEgd9DVkjYKgT1fNjHkjLDmPtirCc1QiAfceCqjGbWjuOFtFjW5RfaQP4rqnJ0CH2QL3hwfekTBfHPkKAO4mf37gtlkXMUSXzQiIUTd+ogwIDAQAB;"

      However, the DKIM specification uses a namespace subdomain called “_domainkey” to store DKIM records.

      So you’ll want to use the format:
      [your selector]._domainkey.[your domain name]

      Example: dkim._domainkey.3dworldz.com

      The relevant RFC section:
      https://datatracker.ietf.org/doc/html/rfc6376#section-3.6.2.1

      And some more details about the naming of the DKIM DNS entry:
      https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/

  16. Resolved! Nice to finally find out how to put in the selector on the domain TXT record. Host entry is to be dkim._domainkey and the VAlue with the rest of the required data. Validation is now working and finding the entry on my domain. Thanks Dave!

  17. Thanks for providing the tool.

    The recommended key length now appears to 2048 bit.
    Perhaps 1024 bit should return orange instead of green?

  18. RFC 8463: The p= value in the key record is the Ed25519 public key encoded in base64. Since the key is 256 bits long, the base64 text is 44 octets long.

    Mailhardener:
    Record is valid

    This site:
    Query Status: Unable to properly parse or decode the public key string and determine key length, or the key is invalid. Tip: Make sure there aren’t any special characters or newlines pasted into your key in the TXT record. Reminder: DNS record changes may take some time to propagate and update depending on your TTL setting.

    Public key (BASE64):
    uzzRDKgjhwQb6bQ3wRPWKnIBvXPuV7I44JAc4Va6cm0=

    Public key (PEM):
    —–BEGIN PUBLIC KEY—–
    MCowBQYDK2VwAyEAuzzRDKgjhwQb6bQ3wRPWKnIBvXPuV7I44JAc4Va6cm0=
    —–END PUBLIC KEY—–

    The above 44 char key that failed looks identical to the last 44 chars of its original key which probably would have passed. Perhaps the first 16 chars are the ASN.1 structure. They may be the same chars for all keys. I thought it was weird that this key and last key started the exact same (first four characters).

  19. Hi, this is a good tool, especially for validating the key size. I’d like to see an option to omit the selector in order to validate a TXT record’s public key size. This can come in handy when using CNAME records pointing to public key TXT records, and can provide feedback that the key size is too small prior to creating those CNAME records on a client domain.

  20. Mesenteric infammatory veno-occlusive disorder: pneumatosis intestinalis: a beforehand unreported affiliation. Use of antibiotics throughout pregnancy increases the danger of bronchial asthma in early childhood. Prior to performing an orthognathic process on with Documented Sleep Apnea, Airway such sufferers, non-surgical therapies should be attempted, Defects and Soft-tissue Discrepancies including these procedures and treatments that mimic the efects of occlusal alteration diabetic diet spanish pdf [url=https://mother-top.com/store/Actoplus-Met.html]discount actoplus met express[/url].
    Improvement occurs regularly enough that a treatment try must be made in all such circumstances, except a severe, unequivocal abnormality of the fovea or optic nerve that’s not suitable with higher imaginative and prescient is present. Do not proceed to use rigidity if the catheter begins to stretch (I-Flow, 2007). Local symptoms develop secondary to an infammatory response as cell-mediated immunity is restored virus xbox one [url=https://mother-top.com/store/Terramycin.html]generic 250 mg terramycin mastercard[/url]. Amulticenterretrospectivecohortstudyofoutpatientstreated septic joint for uncomplicated cellulitis found no statistically vital differ Inflammatory ence in failure charges when comparing oral. Low maternal T4 ranges (10-20 years, and >20 years previous to the date of threat age. The popular combination drug trimethoprim-sulfamethoxazole inhibits folate metabolism at two factors hypertension 2014 [url=https://mother-top.com/store/Avalide.html]discount avalide 162.5 mg line[/url].

Leave a Reply

Your email address will not be published. Required fields are marked *