Checking your DKIM DNS record

Update — Due to the recently released vulnerability related to the use of weak cryptographic DKIM keys, I wrote a tool to check DKIM records and determine their public key length: DKIM Key Checker

DKIM For The Masses

Google announced today they have added the ability for Google Apps customers to sign outbound email using the DKIM (DomainKeys Identified Mail) standard.

You can set it up for your own Google Apps domain (if you are the domain admin) using these instructions.

It’s a simple process but the trickiest part can be creating the DNS TXT record (which contains your DKIM public key), depending on how you manage your DNS. If you are serving DNS directly via your registrar, Google has some specific instructions for popular domain hosts.

Checking your work

Here’s a quick tip how you can check to make sure you created the record properly and it is being served…

From a shell/console (using your own domain name, of course):

dig TXT

This should return the DNS TXT record you created. In my case the response is:

; IN    TXT

;; ANSWER SECTION: 3599 IN TXT    "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGfiExKCF1qk/JMaESySByrwx2VjPYDZThQa8432pSTf9mj+AtFiY6wo9A4CMMDLfUBzbDhXFzw3s/qci/tTut+sqv+MSAHhCBJV72Kai64j6TjxUUnfW1RkEYvDhXL+9Wy9OODx2DBZeTpPd6N2Rm4ks3b5wvg73s7RCKjTA7XQIDAQAB"

Get a Shell

If you don’t have access to a shell and ‘dig’, there are some web based lookup tools available too.

DKIM Key Checker

DKIM Core Key Check
Use “google” as the “Selector” and your domain name for “Domain name”

19 thoughts on “Checking your DKIM DNS record”

  1. This is a long shut, but do you have any experience with DKIM and YADIFA (DNS server software)? The TXT record provided by Google does not parse correctly:-

    zone.log:2014-05-18 16:20:26.800150 | zone | E | zone load: reading record #46 of zone xxx: PARSESTRING_ERROR

    This is the record:-
    google._domainkey 86400 IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzS1CzUSzUHGRw4cz4vVrl2iktW53o2xGK1FzGsSyRT9Rsy8YjMSrTm+ylnUr/MfBz/ixjDI4NDsLuGPHao7g+T96o09sozD+9tMHAgVz8aFgmjdt402wcxCQoK25dKdvTM1droFAYh28qNjg2c6KcULY6224WIljdGhbMEDX/OQIDAQAB”

    1. I haven’t used YADIFA before but I just downloaded the code and took a quick look at the parse_pstring function in lib/dnscore/src/parsing.c where those parse errors are being checked. It looks like it should be capable of parsing DKIM TXT records properly, so my guess is that you might just have some accidental special characters pasted into your record. Could you check and make sure you don’t have any newlines, smart quotes or spaces, etc in that record in your zone file?

  2. Thanks for the shell command! It was exactly what I was looking for. (I used “dig -t txt” and it didn’t return the DKIM TXT record, but now I have the right syntax. And the Google Apps-specific example was perfect!)

  3. Any idea where i can generate the DKIM key online through a website that (at least) shows some test, and not like “” or similar? 😀

    There are a lot of generators out there, but most of these pages do not look like you can generate your DKIM there and sleep very well 😀

  4. Has anyone used opendikim? I was able to setup this openm and when I look at logs the email gets signed but when I check header on gmail it shows bad format. I’m thinking it’s dns but when i check dns if its the right format it shows OK, so i’m stuck

    Any help would help. what is the selector i add to my dns.. for instance.. when i do a test both show vaild records so i’m not sure why i keep getting dkim=neutral (bad format) header.s=default header.b=lQ1YkIEB;




    1. @ Dan:

      You probably already fixed this issue, but, the issue is your ‘selector’. In your dns TXT record, the ‘selector’ must match your selector in OpenDKIM.
      This means in DNS TXT you selected a ‘selector’ called : ‘domain1’
      namely :
      In openDKIM you configured to use a selector called ‘default’
      Either configure your DNS to say :
      or reconfigure OpenDKIM to use the selector ‘domain1’.

Leave a Reply

Your email address will not be published.

%d bloggers like this: