Checking your DKIM DNS record

Update Nov 2012:

Due to the recently released vulnerability related to the use of weak cryptographic DKIM keys, I wrote a tool to check DKIM records and determine their public key length: DKIM Key Checker


DKIM For The Masses

Google announced today they have added the ability for Google Apps customers to sign outbound email using the DKIM (DomainKeys Identified Mail) standard.

You can set it up for your own Google Apps domain (if you are the domain admin) using these instructions.

It’s a simple process but the trickiest part can be creating the DNS TXT record (which contains your DKIM public key), depending on how you manage your DNS. If you are serving DNS directly via your registrar, Google has some specific instructions for popular domain hosts.

Checking your work

Here’s a quick tip how you can check to make sure you created the record properly and it is being served…

From a shell/console (using your own domain name, of course):

dig TXT

This should return the DNS TXT record you created. In my case the response is:

; IN    TXT

;; ANSWER SECTION: 1800 IN TXT    ""v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGfiExKCF1qk/JMaESySByrwx2VjPYDZThQa8432pSTf9mj+AtFiY6wo9A4CMMDLfUBzbDhXFzw3s/qci/tTut+sqv+MSAHhCBJV72Kai64j6TjxUUnfW1RkEYvDhXL+9Wy9OODx2DBZeTpPd6N2Rm4ks3b5wvg73s7RCKjTA7XQIDAQAB"

Get a Shell

If you don’t have access to a shell and ‘dig’, there are some web based lookup tools available too.

DKIM Key Checker

DKIM Core Key Check
Use “google” as the “Selector” and your domain name for “Domain name”

16 thoughts on “Checking your DKIM DNS record”

  1. This is a long shut, but do you have any experience with DKIM and YADIFA (DNS server software)? The TXT record provided by Google does not parse correctly:-

    zone.log:2014-05-18 16:20:26.800150 | zone | E | zone load: reading record #46 of zone xxx: PARSESTRING_ERROR

    This is the record:-
    google._domainkey 86400 IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzS1CzUSzUHGRw4cz4vVrl2iktW53o2xGK1FzGsSyRT9Rsy8YjMSrTm+ylnUr/MfBz/ixjDI4NDsLuGPHao7g+T96o09sozD+9tMHAgVz8aFgmjdt402wcxCQoK25dKdvTM1droFAYh28qNjg2c6KcULY6224WIljdGhbMEDX/OQIDAQAB”

    1. I haven’t used YADIFA before but I just downloaded the code and took a quick look at the parse_pstring function in lib/dnscore/src/parsing.c where those parse errors are being checked. It looks like it should be capable of parsing DKIM TXT records properly, so my guess is that you might just have some accidental special characters pasted into your record. Could you check and make sure you don’t have any newlines, smart quotes or spaces, etc in that record in your zone file?

  2. Thanks for the shell command! It was exactly what I was looking for. (I used “dig -t txt” and it didn’t return the DKIM TXT record, but now I have the right syntax. And the Google Apps-specific example was perfect!)

Leave a Reply

Your email address will not be published. Required fields are marked *