DNS records and worldwide DNS propagation checker
  • DKIM Record Lookup

  • More Tools

  • DKIM Tester

    The DKIM checker inspects the domain's published DKIM record for a specific selector. The tool performs the DKIM record lookup and examines whether the DKIM record is published at a particular selector and whether it's deployed correctly or not.

    What is DKIM?

    DKIM is an acronym for DomainKeys Identified Mail. An email authentication technique allows the email receiver to check that an email is sent from the domain it says has not been tampered with.

    It's an accessible technology used to link a piece of email back to the domain. It gives protection from the spammers to spoof a legitimate domain name.

    Why is DKIM important?

    Although, DKIM is not required. But email(s) signed with DKIM make it more legitimate to the recipients. They are less likely to go to spam or junk folder.

    Spoofing and pishing from a popular domain(s) is widespread, but DKIM makes it harder to impersonate.

    DKIM also helps in building the domain reputation among the ISPs. With a low bounce rate and high engagement, your email deliverability improves.

    How does DKIM work?

    The DKIM works with SPF & DMARC to protect the email traffic. Emails that fail to pass the SPF and DMARC are not delivered by the email servers or may get to "spam." It allows the organization(s) to authenticate the emails.

    For using the DKIM, the email server is configured to attach the DKIM signatures while sending emails. These signatures travel along with emails and are verified by the receiving servers (helping them reach their final destination).

    These signatures work as a watermark.

    • An email provider generates both public and private keys.
    • The generator provides a public key to the domain owner. That places it into the publicly available domain DNS record, the DKIM record.
    • The sending email server signs an email with a private key called "digital signature." That "signature" is added as an extra header to an email to assist the receiving email servers in verification.
    • The email server locates the domain's DKIM record, fetches the public key, and uses it to verify the digital signature.
    • The receiving party can verify that the email is sent from the domain it says, and it remains unaltered during its traveling.

    Note: A receiver server can never use the public key to sign the messages and vice versa.

    Example of DKIM record

    An example of a DKIM record is

    Name Type Content TTL
    [selector]._domainkey.[domain] TXT v=DKIM1; p= public key 3600

    Here

    Name: The DKIM records are stored under the specialized name. It follows the format as mentioned in the example. Suppose, for instance, abc.com uses XYZ as their email service provider. Suppose XYZ employs the DKIM selector xyz-email. Their DKIM DNS record for abc.com would be under xyz-email._domainkey.abc.com.

    In the above example:

    1. Name
      • selector: The DKIM selector is in the DKIM-Signature header that specifies where the public key of the DKIM key pair exists in the Domain Name System (DNS). The receiving email server uses the DKIM selector for locating and fetching the public key to verify that an email message is authentic and arrived unaltered.
      • _domainkey: It's included in all DKIM record names.
      • domain: It's an email domain name after the "@" symbol.
    2. Type: It's a TXT record.
    3. Content: Here, the v=DKIM1 means that the record is a DKIM record, and whatever comes after the "p" is the public key.

    How can I find my DKIM selector?

    Finding your DKIM selector is not a difficult task. A better way is to send an email to yourself.

    • When you open an email, click on the three dots and go to "Show original." Your primary goal is to view the header information with the DKIM authentication results.
    • Search for "DKIM-Signature" to find the DKIM signature applied to your email.
    • If you see multiple DKIM-Signature headers, then search for the header that contains your domain name "d=value."
    • The DKIM-Signature email header contains an s= tag. It's used as a selector that the receiving server should use for DKIM record lookup.
    • Suppose you fail to find the DKIM-Signature or the one that contains your domain. Work on it and contact the authority responsible for sending your email.

    Note: Not two services can have the same selector. For example, if you are sending emails from several services, like Gmail, Yahoo, etc., on behalf of your domain. Then each service must have a unique key and selector in your DNS. If the selectors are the same, the recipient server cannot tell which key to decipher a particular email.

    How to perform the domain DKIM record lookup for a particular selector?

    To perform the DKIM record lookup for a particular selector. Please complete the following steps.

    • Open the DKIM Record Checker - DKIM Tester.
    • Enter the "Selector" and the "Domain" and click on the "DKIM Lookup" button.
    • The tool fetches the domain's DKIM record for a specific selector and helps identify its issues.

    What if the DKIM fails?

    That usually happens when the "d=value" in the header "From" does not match with the "d=value" in the "DKIM-Signature." It may negatively impact email deliverability.

    Thus, it's essential to examine all the messages that fail to identify the source as "valid." If you find a legitimate source, you can investigate it and set the DKIM correctly. If the source is not recognized, analyze it because it would send malicious emails or impersonate the domain.

    DKIM and DMARC

    DKIM, by itself, is not a reliable way to authenticate the email sender's identity. DMARC is an email authentication system built on top of SPF and DKIM. DMARC tells what to do if an email fails SPF and DKIM checks. Together, they allow the organization(s) to prevent email spam and spoofing.