A magnifying glass on a desk with sheets of paper containing cryptic symbols

DKIM Key Checker

Use this tool to lookup and verify a DKIM DNS TXT record and determine its public key length to detect the use of weak cryptographic DKIM keys (less than 1024 bits).


DKIM
Some domains, like Twitter and eBay, use “dkim”. Google Workspace domains typically use “google”. Others simply use “default“. Enter yours below.selectors
enable a single domain to have multiple keys. Do not include “_domainkey” — this tool will add it automatically when making the DKIM check DNS lookup.
Base domain name. (e.g. example.com)

  
Keys less than 1024 bits are considered at risk.


    

If you make a purchase using these affiliate links I may earn a small commission which helps support this blog and the free tools I provide. You do not pay a higher price.

DMARCLY company logo

Protect Your Email With DMARCLY

Block phishing, business email compromise, ransomware, spam, and improve email deliverability with a comprehensive SPF, DKIM and DMARC monitoring solution.

ActiveCampaign company logo

Grow your business with ActiveCampaign

Email marketing, marketing automation, and CRM tools to create incredible customer experiences. Supports SPF, DKIM, and DMARC authentication.


DigitalOcean provides cloud products for every stage of your journey. Get started with $200 in free credit!

About This Tool

This DKIM test tool has been used over 2 million times since it was launched, helping domain administrators improve their email authentication, and globally reduce sender address forgery (spoofing), which is often used in spam emails and phishing attacks.

If you are curious, you can read more about why I originally wrote this DKIM tester.

Please let me know if you find a valid DNS record that doesn’t parse properly for some reason and I’ll take a look and update my code as needed.

What Is It Doing?

At a high level, the code for this DKIM validator does the following:

  • Using the Selector and Domain you provide, the DKIM record check first queries your DKIM DNS TXT record.
  • The DNS results are parsed to extract the DKIM tags of interest from the record, as defined by RFC 6376.
  • Finally, it processes the extracted public key found in the v= tag using OpenSSL to determine the key size. If the length is less than 1024 bits you’ll receive a warning of that fact in the UI response so you’ll know to regenerate and update your keys.

I maintain this free DKIM checker as a public service for sysadmins, security and ops folks to help us improve email security and reduce spam. I hope you find it useful!

Privacy Notice — I log only basic usage information: date, DNS query/response, and calculated public key length. I record these only for the purposes of detecting abuse of the tool or my systems, and to debug any issues with my code to improve it. I don’t, and won’t collect, correlate, retain, share or sell any Personally Identifiable Information (PII) from this tool.

124 thoughts on “DKIM Key Checker”

  1. Pingback: Outbound Solution
  2. Hi, thanks for the tool. Just found out that many similar tools out there are unable to handle long keys…yours works perfectly.

  3. Great tool. If you could please add support for some of the newer TLDs, .properties in particular, that would be swell.

  4. Thanks for the tool! Just a remark:
    Base64 encoded data usually wrap lines after 64 chars. The public key your tool did reconstruct wrapped after 78.

    1. @Evil_Wolf: Can you share a couple example domains and selectors to test so I can work on adding support? Thanks!

  5. Great tool. Just entered a record DKIM record with more than 255 chars and lookup result looked rather funny. I was expecting BIND to concatenate the multiple parts into one! Checked here with success. Then find out that it is the application using this record which is suppose to concatenate the parts.

  6. Hmmm, worked that time, after I updated my DNS to remove the domain. I just put it back, we’ll see how your tool does tomorrow.

  7. Hi Dave

    Thank you so much for providing this tool. I was able to check my Key Strength which was 1024 and upgraded it to 2018 at Google Apps.

    This has helped me a lot to implement DMARC and see how Spammers are trying to use my domains for their hideous activities.

    Regards
    Varun

    1. It should be working, what selector/domain are you testing?

      Mine has a 2048 bit key, for an example:

      selector: google
      domain: protodave.com

  8. Sorry, noob question here – how does the receiving server know what selector to use / ask the sending server for?

    Is that in the header of the email? you talk about how different websites use different phrases : )

    thanks!!

  9. Hi! There are many tools to verify DKIM TXT records.
    But I did not find any tool to verify the DKIM Data of an Email already sent. I mean copy&paste the raw mail code to check mail text and metadata. Why is it so hard to find a tool for that? Cause this is what dkim is for.

  10. Your tool missed an error in what a client published. They included escape characters (v=DKIM1\;) and your took gave them “success” as a result. Using MXTOOLBOX it pointed out their error.

    May want to look into that – they used your site to erroneously believe they’d published correctly.

    Thanks!

  11. Just wondering if I copy the contents of the result “—-begin certificate — ” and save it as a .pem file, will the regular cert reading tools be able to decipher it as a certificate?

  12. Is the code for this available anywhere? Just curious how you parse the record and feed it into openssl.

    1. Hi Dan! I haven’t published the code but it’s just a quick little PHP script with a flow that looks like this…

      • dig to grab the DKIM DNS record, since PHP’s dns_get_record() doesn’t properly handle returning TXT records for long DKIM entries.
      • Regex to extract the tags of interest from the record, per RFC 6376 : https://tools.ietf.org/html/rfc6376#section-3.6.1
      • Process the extracted public key via PHP’s OpenSSL library: openssl_get_publickey -> openssl_pkey_get_details

      If you want more specifics about any of that, drop me a note via the Contact page and I’ll email you further details.

  13. I get a fail on my test but a pass for other online checking pages – from reading I suspect it has to do with the FQDN appended to the selector eg my selector is:

    phr1._domainkey

    and it seems to fail on some sites inlcuding this one but pass on others – are you able to check if the un-appended FQDN is the problem?

    Thanks,
    Phil.

    1. Hi Phil! Yes, just use your DKIM selector, phr1, in the “Selector” input box. Do not include the _domainkey subdomain.

      Using that, along with your Domain pricom.com.au works for me. Let me know if that helps.

  14. Hi
    I’ve setup a 2048 key for MailPlus on my synology NAS and split the key across 2 TXT records in the DNS but the checker only reports it as a 1024 key. Does it not handle split keys?

    1. Hi Julian! It should handle split keys. What’s your DNS TXT record (selector/domain) and I can take a look.

  15. For some reason this tool is not able to find the dkim entry on any of my websites. All have dkim as selector in a TXT record:
    3dworldz.com, sovariaestates.world, gospellearningcenter.com, localfood4u.com.

    1. Hi Bob!

      I do see your DKIM TXT record on dkim.3dworldz.com

      ❯ dig -t TXT dkim.3dworldz.com
      ;; ANSWER SECTION:
      dkim.3dworldz.com. 60 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu85+PZRVgrTN2VMyINKIA8EbiFMBn0aDyUYzdfL7kl7hZJnOV0BvyR9I1xwRN/EmDEgd9DVkjYKgT1fNjHkjLDmPtirCc1QiAfceCqjGbWjuOFtFjW5RfaQP4rqnJ0CH2QL3hwfekTBfHPkKAO4mf37gtlkXMUSXzQiIUTd+ogwIDAQAB;"

      However, the DKIM specification uses a namespace subdomain called “_domainkey” to store DKIM records.

      So you’ll want to use the format:
      [your selector]._domainkey.[your domain name]

      Example: dkim._domainkey.3dworldz.com

      The relevant RFC section:
      https://datatracker.ietf.org/doc/html/rfc6376#section-3.6.2.1

      And some more details about the naming of the DKIM DNS entry:
      https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/

  16. Resolved! Nice to finally find out how to put in the selector on the domain TXT record. Host entry is to be dkim._domainkey and the VAlue with the rest of the required data. Validation is now working and finding the entry on my domain. Thanks Dave!

Leave a Reply

Your email address will not be published. Required fields are marked *