Verifying a DKIM TXT Record and Key Length

After reading the Wired story last week about Zachary Harris discovering a widespread vulnerability related to the use of weak cryptographic DKIM keys (less than 1024 bits) by companies like Google, eBay, Yahoo, Twitter and PayPal, and the subsequent CERT warning (VU#268267), I decided to write a quick tool to check DKIM TXT records and determine their key length:

This tool grabs your DKIM DNS TXT record and uses OpenSSL to parse the contained public key to determine its key length.

DigitalOcean provides cloud products for every stage of your journey. Get started with $200 in free credit!

Published by

protodave

Maker, breaker and fixer of things.

9 thoughts on “Verifying a DKIM TXT Record and Key Length”

  1. Thank you so much for writing this tool. I was pulling my hair out trying to figure out if our keys were 1024 bit. They are.

  2. Thanks for this tool, and the previous article on how to check your DKIM DNS record with the likes of dig – it was very helpful when setting up a new server configuration

  3. I’ve been in agony trying to get Yahoo Small Business to get my dkim settings right in DNS (not accessible via the Yahoo domain control panel) and your site has been invaluable in getting Yahoo to do the job right. Thanks so much!

  4. I was suggested this blog by my cousin. I’m not sure whether this post is written by him as no one else know such detailed about my difficulty. You are wonderful! Thanks! ekeeeggdfbfg

  5. Thanks for this tool ! Great work. More popular, longer existing check websites can’t handle the long keys. I’m glad I found your website and figured out that it wasn’t my mistake when entering the long keys into our servers that made other checks fail.

  6. This tool is a godsend. Thanks so much. Not even Google’s own MX tool was able to parse my domain key successfully. Great idea adding the selector field. Much appreciated.

  7. Outstanding Tool. More ISPs are requiring DKIM >=1024 and some of the providers I use to offer free sites to Not-for-Profits have not moved their support to the required level. This allowed me to find the Domains with issues very quickly. Thank You

Leave a Reply

Your email address will not be published. Required fields are marked *