Use this tool to lookup and verify a DKIM DNS TXT record and determine its public key length to detect the use of weak cryptographic DKIM keys (less than 1024 bits).
If you make a purchase using these affiliate links I may earn a small commission which helps support this blog and the free tools I provide. You do not pay a higher price.
Protect Your Email With DMARCLY
Block phishing, business email compromise, ransomware, spam, and improve email deliverability with a comprehensive SPF, DKIM and DMARC monitoring solution.
Grow your business with ActiveCampaign
Email marketing, marketing automation, and CRM tools to create incredible customer experiences. Supports SPF, DKIM, and DMARC authentication.
DigitalOcean provides cloud products for every stage of your journey. Get started with $200 in free credit!
About This Tool
This DKIM test tool has been used over 2 million times since it was launched, helping domain administrators improve their email authentication, and globally reduce sender address forgery (spoofing), which is often used in spam emails and phishing attacks.
If you are curious, you can read more about why I originally wrote this DKIM tester.
Please let me know if you find a valid DNS record that doesn’t parse properly for some reason and I’ll take a look and update my code as needed.
What Is It Doing?
At a high level, the code for this DKIM validator does the following:
- Using the Selector and Domain you provide, the DKIM record check first queries your DKIM DNS
TXTrecord. - The DNS results are parsed to extract the DKIM tags of interest from the record, as defined by RFC 6376.
- Finally, it processes the extracted public key found in the
v=tag using OpenSSL to determine the key size. If the length is less than 1024 bits you’ll receive a warning of that fact in the UI response so you’ll know to regenerate and update your keys.
I maintain this free DKIM checker as a public service for sysadmins, security and ops folks to help us improve email security and reduce spam. I hope you find it useful!
Privacy Notice — I log only basic usage information: date, DNS query/response, and calculated public key length. I record these only for the purposes of detecting abuse of the tool or my systems, and to debug any issues with my code to improve it. I don’t, and won’t collect, correlate, retain, share or sell any Personally Identifiable Information (PII) from this tool.
Hello! Please, add support for .services domain.
Hi, thanks for the tool. Just found out that many similar tools out there are unable to handle long keys…yours works perfectly.
Great tool. If you could please add support for some of the newer TLDs, .properties in particular, that would be swell.
Very handy tool, thank you!
Thanks for the tool! Just a remark:
Base64 encoded data usually wrap lines after 64 chars. The public key your tool did reconstruct wrapped after 78.
Updated to wrap at 64 chars. Thanks for the feedback!
Thank you so much, this is making my life a lot easier.
Thank you VERY much for this tool and moreso for all your knowledge on this topic.
Cyrilick domain or punycode domains not support 🙁
@Evil_Wolf: Can you share a couple example domains and selectors to test so I can work on adding support? Thanks!
Great tool. Just entered a record DKIM record with more than 255 chars and lookup result looked rather funny. I was expecting BIND to concatenate the multiple parts into one! Checked here with success. Then find out that it is the application using this record which is suppose to concatenate the parts.
Hmmm, worked that time, after I updated my DNS to remove the domain. I just put it back, we’ll see how your tool does tomorrow.
Hi Sir,
I have a issue. How to check DKIM Cname record ?
Hi Dave
Thank you so much for providing this tool. I was able to check my Key Strength which was 1024 and upgraded it to 2018 at Google Apps.
This has helped me a lot to implement DMARC and see how Spammers are trying to use my domains for their hideous activities.
Regards
Varun
Thanks a lot., real bug killer..!!!
This is extremely useful. Thanks for sharing it!
I didn’t want to install the bind-utils just to get the dig utility.
This is great, thanks again.
Great,simple tool! thanks for this
i want c=relaxed/relaxed instead i’m getting c=relaxed/simple where should i specify this. please help
Thank you, very usefull Tool 😀
what is selector in DKIM ?
I am new to it
2048 key length not working?
It should be working, what selector/domain are you testing?
Mine has a 2048 bit key, for an example:
selector: google
domain: protodave.com
Ho do you get the key length ?
Thanks a lot! Very useful tool. 🙂
Thank you very much for sharing this tool.
Sorry, noob question here – how does the receiving server know what selector to use / ask the sending server for?
Is that in the header of the email? you talk about how different websites use different phrases : )
thanks!!
The DKIM signature contains a reference to the selector to use. This value is expressed as s=”the selector”
Hi! There are many tools to verify DKIM TXT records.
But I did not find any tool to verify the DKIM Data of an Email already sent. I mean copy&paste the raw mail code to check mail text and metadata. Why is it so hard to find a tool for that? Cause this is what dkim is for.
Your tool missed an error in what a client published. They included escape characters (v=DKIM1\;) and your took gave them “success” as a result. Using MXTOOLBOX it pointed out their error.
May want to look into that – they used your site to erroneously believe they’d published correctly.
Thanks!
This is an excellent tool – thanks so much. With a few tests, I finally managed to figure out what was wrong and to get this working ! 🙂
Thanks for the message… great to hear the tool was able to help you get things working!
Just wondering if I copy the contents of the result “—-begin certificate — ” and save it as a .pem file, will the regular cert reading tools be able to decipher it as a certificate?
Please support ed25519 keys (RFC 8463)
Just a quick note of thanks for the great tool!
thanks for the note, and glad it was helpful!
Is the code for this available anywhere? Just curious how you parse the record and feed it into openssl.
Hi Dan! I haven’t published the code but it’s just a quick little PHP script with a flow that looks like this…
digto grab the DKIM DNS record, since PHP’sdns_get_record()doesn’t properly handle returningTXTrecords for long DKIM entries.openssl_get_publickey -> openssl_pkey_get_detailsIf you want more specifics about any of that, drop me a note via the Contact page and I’ll email you further details.
I get a fail on my test but a pass for other online checking pages – from reading I suspect it has to do with the FQDN appended to the selector eg my selector is:
phr1._domainkey
and it seems to fail on some sites inlcuding this one but pass on others – are you able to check if the un-appended FQDN is the problem?
Thanks,
Phil.
Hi Phil! Yes, just use your DKIM selector,
phr1, in the “Selector” input box. Do not include the_domainkeysubdomain.Using that, along with your Domain
pricom.com.auworks for me. Let me know if that helps.Hi
I’ve setup a 2048 key for MailPlus on my synology NAS and split the key across 2 TXT records in the DNS but the checker only reports it as a 1024 key. Does it not handle split keys?
Hi Julian! It should handle split keys. What’s your DNS TXT record (selector/domain) and I can take a look.
Hey protodave,
Your code doesn’t seem to support ed25519 keys, is that correct?
many thanks for this tool!
ed25519 support would be awesome 🙂
For some reason this tool is not able to find the dkim entry on any of my websites. All have dkim as selector in a TXT record:
3dworldz.com, sovariaestates.world, gospellearningcenter.com, localfood4u.com.
Hi Bob!
I do see your DKIM TXT record on
dkim.3dworldz.com❯ dig -t TXT dkim.3dworldz.com;; ANSWER SECTION:
dkim.3dworldz.com. 60 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu85+PZRVgrTN2VMyINKIA8EbiFMBn0aDyUYzdfL7kl7hZJnOV0BvyR9I1xwRN/EmDEgd9DVkjYKgT1fNjHkjLDmPtirCc1QiAfceCqjGbWjuOFtFjW5RfaQP4rqnJ0CH2QL3hwfekTBfHPkKAO4mf37gtlkXMUSXzQiIUTd+ogwIDAQAB;"
However, the DKIM specification uses a namespace subdomain called “
_domainkey” to store DKIM records.So you’ll want to use the format:
[your selector]._domainkey.[your domain name]Example:
dkim._domainkey.3dworldz.comThe relevant RFC section:
https://datatracker.ietf.org/doc/html/rfc6376#section-3.6.2.1
And some more details about the naming of the DKIM DNS entry:
https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/
Resolved! Nice to finally find out how to put in the selector on the domain TXT record. Host entry is to be dkim._domainkey and the VAlue with the rest of the required data. Validation is now working and finding the entry on my domain. Thanks Dave!
Thanks for providing the tool.
The recommended key length now appears to 2048 bit.
Perhaps 1024 bit should return orange instead of green?
RFC 8463: The p= value in the key record is the Ed25519 public key encoded in base64. Since the key is 256 bits long, the base64 text is 44 octets long.
Mailhardener:
Record is valid
This site:
Query Status: Unable to properly parse or decode the public key string and determine key length, or the key is invalid. Tip: Make sure there aren’t any special characters or newlines pasted into your key in the TXT record. Reminder: DNS record changes may take some time to propagate and update depending on your TTL setting.
Public key (BASE64):
uzzRDKgjhwQb6bQ3wRPWKnIBvXPuV7I44JAc4Va6cm0=
Public key (PEM):
—–BEGIN PUBLIC KEY—–
MCowBQYDK2VwAyEAuzzRDKgjhwQb6bQ3wRPWKnIBvXPuV7I44JAc4Va6cm0=
—–END PUBLIC KEY—–
The above 44 char key that failed looks identical to the last 44 chars of its original key which probably would have passed. Perhaps the first 16 chars are the ASN.1 structure. They may be the same chars for all keys. I thought it was weird that this key and last key started the exact same (first four characters).
Hi, this is a good tool, especially for validating the key size. I’d like to see an option to omit the selector in order to validate a TXT record’s public key size. This can come in handy when using CNAME records pointing to public key TXT records, and can provide feedback that the key size is too small prior to creating those CNAME records on a client domain.
Mesenteric infammatory veno-occlusive disorder: pneumatosis intestinalis: a beforehand unreported affiliation. Use of antibiotics throughout pregnancy increases the danger of bronchial asthma in early childhood. Prior to performing an orthognathic process on with Documented Sleep Apnea, Airway such sufferers, non-surgical therapies should be attempted, Defects and Soft-tissue Discrepancies including these procedures and treatments that mimic the efects of occlusal alteration diabetic diet spanish pdf [url=https://mother-top.com/store/Actoplus-Met.html]discount actoplus met express[/url].
Improvement occurs regularly enough that a treatment try must be made in all such circumstances, except a severe, unequivocal abnormality of the fovea or optic nerve that’s not suitable with higher imaginative and prescient is present. Do not proceed to use rigidity if the catheter begins to stretch (I-Flow, 2007). Local symptoms develop secondary to an infammatory response as cell-mediated immunity is restored virus xbox one [url=https://mother-top.com/store/Terramycin.html]generic 250 mg terramycin mastercard[/url]. Amulticenterretrospectivecohortstudyofoutpatientstreated septic joint for uncomplicated cellulitis found no statistically vital differ Inflammatory ence in failure charges when comparing oral. Low maternal T4 ranges (10-20 years, and >20 years previous to the date of threat age. The popular combination drug trimethoprim-sulfamethoxazole inhibits folate metabolism at two factors hypertension 2014 [url=https://mother-top.com/store/Avalide.html]discount avalide 162.5 mg line[/url].