DKIM Lookup

• What This Tool Does

DKIM (DomainKeys Identified Mail) Check verifies cryptographic signatures in email headers that prove the email was sent by an authorized server and hasn't been tampered with in transit.

• Why It Matters

• → Email Integrity: Guarantees messages haven't been modified
• → Authentication: Cryptographically proves sender identity
• → Deliverability: Major providers require DKIM for inbox placement
• → Trust: Recipients can verify emails genuinely came from your domain

• How to Read the Results

• ✓ Selector: A label for the specific DKIM key (e.g., "default", "google", "sendgrid")
• ✓ Public Key: The RSA or Ed25519 cryptographic key used to verify message signatures
• ✓ Key Length: RSA-2048 bits minimum recommended; RSA-1024 is deprecated and insecure
• ✓ v=DKIM1: Version identifier that must appear at the start of every DKIM key record
• ✓ h=: Hash algorithm — sha256 is required; sha1 is deprecated and must not be used
• ✓ p=: Base64-encoded public key value — empty p= means the key has been revoked

• Technical Background

DomainKeys Identified Mail (DKIM, RFC 6376) uses public-key cryptography to authenticate email messages. The sending mail server signs the email's headers and body using a private RSA or Ed25519 key, appending a DKIM-Signature header containing the signature, selector, domain, and signed fields. The receiving server looks up the public key from DNS at selector._domainkey.domain.com, verifies the signature, and confirms the email has not been modified since signing. A DKIM selector allows multiple keys for different mail systems (e.g., "google" for Google Workspace, "sendgrid" for SendGrid). Key rotation is a security best practice — old keys should be retired after 6-12 months. The DKIM-Signature header fields include: b= (base64-encoded signature), bh= (hash of the email body), c= (canonicalization algorithm: "relaxed/relaxed" is most common), d= (signing domain), s= (selector), and h= (list of signed headers). For DMARC alignment, the d= domain must match the RFC5322.From domain either exactly (strict alignment) or as a subdomain (relaxed alignment). DKIM key sizes: RSA-1024 is deprecated; RSA-2048 is the current minimum; Ed25519 keys (32 bytes) provide equivalent security to RSA-3072 with much smaller DNS records. Common DKIM deployment issues include: missing DKIM records (selector not found in DNS), expired or rotated keys that still appear in email headers, oversized keys that exceed DNS packet limits, and canonicalization mismatches that cause signature verification failures. Email providers like Gmail, Outlook, and Yahoo require DKIM for inbox placement and use DKIM alignment in their DMARC enforcement. Organizations using multiple email sending services (transactional email, marketing platforms, CRMs) should maintain separate DKIM selectors for each service to enable precise audit trails and revocation without disrupting other mail flows. When rotating DKIM keys (a recommended security practice every 6-12 months), administrators should: publish the new selector in DNS, configure the mail server to use the new key, wait for DNS propagation (up to 48 hours), then decommission the old selector. DKIM signing policy is complemented by DMARC (RFC 7489), which instructs receiving servers on what to do when DKIM and SPF fail. Without DKIM, domains are vulnerable to email spoofing and brand impersonation attacks. A DKIM pass combined with SPF pass and DMARC alignment is the gold standard for email authentication and deliverability.