Checking your DKIM DNS record

January 6, 2011

Update Nov 2012:

Due to the recently released vulnerability related to the use of weak cryptographic DKIM keys, I wrote a tool to check DKIM records and determine their public key length: DKIM Key Checker

 

DKIM For The Masses

Google announced today they have added the ability for Google Apps customers to sign outbound email using the DKIM (DomainKeys Identified Mail) standard.

You can set it up for your own Google Apps domain (if you are the domain admin) using these instructions.

It’s a simple process but the trickiest part can be creating the DNS TXT record (which contains your DKIM public key), depending on how you manage your DNS. If you are serving DNS directly via your registrar, Google has some specific instructions for popular domain hosts.

Checking your work

Here’s a quick tip how you can check to make sure you created the record properly and it is being served…

From a shell/console (using your own domain name, of course):

dig google._domainkey.protodave.com TXT

This should return the DNS TXT record you created. In my case the response is:

;; QUESTION SECTION:
;google._domainkey.protodave.com. IN    TXT

;; ANSWER SECTION:
google._domainkey.protodave.com. 1800 IN TXT    ""v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGfiExKCF1qk/JMaESySByrwx2VjPYDZThQa8432pSTf9mj+AtFiY6wo9A4CMMDLfUBzbDhXFzw3s/qci/tTut+sqv+MSAHhCBJV72Kai64j6TjxUUnfW1RkEYvDhXL+9Wy9OODx2DBZeTpPd6N2Rm4ks3b5wvg73s7RCKjTA7XQIDAQAB"

Get a Shell

If you don’t have access to a shell and ‘dig’, there are some web based lookup tools available too.

DKIM Key Checker

Network-Tools.com

WhatsMyIP.us

DKIM Core Key Check
Use “google” as the “Selector” and your domain name for “Domain name”


9 comments

Thank you

by Antonio on June 14, 2012 at 12:27 pm #

[...] I have registered my TXT Record with my DNS provider, but I am unable to start authentication in my Google Apps Account. I am using Google Apps for Free. I have verfied my DNS entry using various tools such as dig and other online tools, http://www.protodave.com/security/checking-your-dkim-dns-record/ [...]

by Google Apps DKIM Start Authentication fails even though DKIM TXT Record is Available | appsgoogleplus.com on October 1, 2012 at 2:23 pm #

Thanks for this great resource. We use Google apps and I needed to check our TXT record name was correctly setup, this confirmed it was.

by Aidan Sheerin on January 15, 2013 at 2:13 pm #

[...] one is a little more difficult to set up, but I found a great guide and test for it here. The idea of this system, is that all emails that are sent out are signed using a key (it’s [...]

by Guide for setting up company emails | IT Blog of Steve Williams on July 11, 2013 at 9:37 am #

Dave,

Thank you very much for the great info and resources… these will now become part of my standard tools.

by James on February 2, 2014 at 10:19 am #

Dave, thank you.

by Chong Lee Khoo on February 22, 2014 at 12:01 pm #

This is a long shut, but do you have any experience with DKIM and YADIFA (DNS server software)? The TXT record provided by Google does not parse correctly:-

zone.log:2014-05-18 16:20:26.800150 | zone | E | zone load: reading record #46 of zone xxx: PARSESTRING_ERROR

This is the record:-
google._domainkey 86400 IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzS1CzUSzUHGRw4cz4vVrl2iktW53o2xGK1FzGsSyRT9Rsy8YjMSrTm+ylnUr/MfBz/ixjDI4NDsLuGPHao7g+T96o09sozD+9tMHAgVz8aFgmjdt402wcxCQoK25dKdvTM1droFAYh28qNjg2c6KcULY6224WIljdGhbMEDX/OQIDAQAB”

by Chris Hills on May 18, 2014 at 7:24 am #

I haven’t used YADIFA before but I just downloaded the code and took a quick look at the parse_pstring function in lib/dnscore/src/parsing.c where those parse errors are being checked. It looks like it should be capable of parsing DKIM TXT records properly, so my guess is that you might just have some accidental special characters pasted into your record. Could you check and make sure you don’t have any newlines, smart quotes or spaces, etc in that record in your zone file?

by protodave on May 20, 2014 at 9:40 am #

Leave your comment

Required.

Required. Not published.

If you have one.