DKIM Checker Tool

The DKIM Checker validates your DKIM (DomainKeys Identified Mail) records to ensure email signatures are correctly configured. Use this tool to test and troubleshoot DKIM issues.

What is DKIM?

DKIM adds a cryptographic signature to your emails. Receiving servers verify the signature using your published public key, confirming the email truly came from you.

How it works:

1. Your mail server signs outgoing email with a private key
2. Public key is published in your DNS as a DKIM record
3. Receiving server retrieves your public key
4. Verifies the signature matches
5. Email passes DKIM check

Accessing the Tool

1. Log in to SpoofWard
2. Go to Tools → DKIM Checker
3. Enter your domain and selector name
4. Tool validates your DKIM record

Understanding DKIM Selectors

A selector identifies which DKIM key to use. You can have multiple DKIM keys with different selectors for key rotation or multiple mail servers.

Common selectors:

• default - Standard default key
• selector1 - Office 365
• selector2 - Office 365 secondary
• google - Google Workspace
• sendgrid - SendGrid
• Custom names your organization uses

Using the DKIM Checker

Step 1: Enter Domain

Enter the domain you want to check (e.g., example.com)

Step 2: Enter Selector

Enter the DKIM selector you want to validate:

• If you don't know which selectors exist, try common ones: default, selector1, google, etc.
• Or contact your mail provider for the selector

Step 3: Check Results

The tool queries DNS and returns:

Status Indicators:

• ✓ Valid - DKIM record found and is properly formatted
• ⚠ Warning - Record exists but has issues
• ✗ Not Found - No DKIM record at this location
• ✗ Error - Record exists but is malformed

Valid DKIM Record

Tool shows:

• Public Key - The key being used for verification
• Key Type - Usually rsa
• Key Size - Usually 2048-bit (can be 1024, 2048, or 4096)
• Status - Valid and ready for use
• Full Record - Complete DKIM record from DNS

What makes it valid:

• Correct version: v=DKIM1
• Key type specified: k=rsa
• Valid public key present: p=MIGfMA0GCSqGSIb3...
• Proper DNS format

Invalid DKIM Record

Tool shows:

• Error Type - Specific problem found
• Details - What's wrong
• Suggestion - How to fix it

Common issues:

• Incomplete public key (truncated)
• Incorrect format or syntax
• Missing required fields
• Wrong selector name

Finding Your DKIM Selectors

If Using Office 365

1. Go to Exchange Admin Center
2. Mail flow → DKIM
3. Look for entries with status "Enabled"
4. Selector name shown (usually selector1._domainkey)

If Using Google Workspace

1. Go to Google Admin Console
2. Security → Authentication → Email & calendar
3. Look for DKIM authentication
4. Selector names shown (usually google._domainkey or selector1._domainkey)

If Using SendGrid

1. Go to SendGrid Dashboard
2. Settings → Sender Verification
3. Click your domain
4. DKIM info shown with selector

If Using AWS SES

1. Go to AWS SES Console
2. Verified Identities
3. Select your domain
4. Click DKIM tab
5. Selectors and tokens shown

If Using Custom Mail Server

Check your mail server documentation or contact your IT team for:

• DKIM selector being used
• Location of private key
• Public key content to publish

Checking Multiple Selectors

If you have multiple DKIM keys:

1. Run checker for each selector
2. All should show as "Valid"
3. If one fails, investigate why
4. Common to have 1-2 keys active, older ones retired

Example (Office 365):

• selector1._domainkey - Valid (current)
• selector2._domainkey - Valid (backup)

Troubleshooting DKIM Issues

Issue: DKIM Record Not Found

Cause: Record not published in DNS yet

Solution:

1. Verify selector name is correct
2. Check DNS to ensure record was published
3. Use MXToolbox or similar to verify DNS
4. Wait 24-48 hours for propagation
5. Re-run checker

Issue: DKIM Record Incomplete

Cause: Public key is truncated in DNS

Symptoms:

• Checker shows "key incomplete"
• Public key ends abruptly
• Record may have been cut off

Solution:

1. Check DNS for full key value
2. Some DNS providers truncate long records
3. Verify complete key is published
4. May need to contact DNS provider support
5. Sometimes requires special formatting or multiple TXT records

Issue: Invalid Syntax

Cause: DKIM record has formatting errors

Symptoms:

• Tool shows syntax error
• May have wrong field names
• Missing required v=, k=, or p= fields

Solution:

1. Get the correct DKIM record from your provider
2. Delete the malformed DNS record
3. Re-publish the correct version
4. Re-run checker

Issue: Multiple DKIM Records, Only One Valid

Cause: Old key not removed when rotating

Common scenario:

• selector1 - Valid (current)
• selector2 - Invalid (old, should be deleted)

Solution:

1. Keep only current DKIM keys
2. Delete old/unused selectors from DNS
3. Mail provider will have documentation on rotation

Understanding DKIM Record Components

Version (v=DKIM1)

Always v=DKIM1. Indicates DKIM version 1.

Key Type (k=)

Usually k=rsa. RSA is the standard key type.

Public Key (p=)

Long base64-encoded string:

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa...

This is the public key used to verify signatures. Must be complete and valid.

Service Type (s=)

Optional. Specifies what services this key can sign:

• s=email - For email only (most common)
• If omitted, defaults to email

Hash Algorithm (h=)

Optional. Hash algorithms supported:

• h=sha256 - SHA-256 (default, recommended)
• Older records might have h=sha1:sha256

Testing (t=)

Optional. Used during setup:

• t=y - Test mode (don't enforce)
• Used by mail providers during DKIM rollout

When seen in a record, it's usually old setup data and can be removed.

DKIM in Action

Signing Email

When your mail server sends email:

1. Creates email message
2. Signs with private key
3. Adds DKIM-Signature header
4. Sends to recipient

Verification

Receiving server:

1. Receives email with DKIM-Signature header
2. Extracts selector from signature
3. Looks up selector._domainkey.yourdomain.com in DNS
4. Retrieves public key
5. Verifies signature matches
6. Email passes or fails DKIM check

Best Practices

Use Standard Selectors

Common names like default or selector1 are easy to manage.

Rotate Keys Periodically

Update your DKIM keys annually or every 2 years.

Keep Private Key Secure

Never expose your private key. Only mail server needs it.

Monitor for Problems

Regularly check that DKIM records are valid using this tool.

Use Adequate Key Size

2048-bit RSA is current standard. 1024-bit is deprecated.

Enable DKIM When Setting Up Mail

Don't leave it for later. Configure immediately.

Common Services and Their Selectors

Office 365:

• Selector: selector1._domainkey and selector2._domainkey
• Auto-managed by Microsoft

Google Workspace:

• Selector: google._domainkey
• Or custom: selector1._domainkey
• Managed by Google Admin

SendGrid:

• Selector: Varies, usually provided
• Contact support for exact selector

Amazon SES:

• Selector: Provided by AWS
• View in SES console

Internal Mail Server:

• Selector: Your choice (often default or mail)
• Configure in mail server software

Integration with SpoofWard

SpoofWard automatically:

• Validates DKIM records - Checked as part of DNS Health
• Detects failed DKIM - Shown in DMARC reports
• Recommends fixes - Suggestions if records are invalid
• Monitors changes - Alerts if DKIM records are modified

Go to DNS → Records in SpoofWard to see your DKIM status.

Advanced Topics

DKIM Alignment

For DMARC to work, email must be signed with a key matching your domain.

Aligned (✓):

• Email From: [email protected]
• DKIM Signature: signed with example.com key
• Result: DKIM-aligned

Misaligned (✗):

• Email From: [email protected]
• DKIM Signature: signed with mail.example.com key or different domain
• Result: Not aligned (fails DMARC DKIM check)

Most mail providers handle this automatically.

Key Rotation

When updating DKIM keys:

1. Generate new key in mail provider
2. Publish public key in DNS under new selector
3. Configure mail server to use new key
4. Wait for propagation (24-48 hours)
5. Verify with DKIM Checker
6. Retire old key - Delete from DNS after confirmed working

FAQ

How many DKIM keys should I have?

Usually 1-2. One active, one for rotation/backup.

Do I need a different DKIM key per subdomain?

Not required, but some organizations do. One per domain is typical.

How often should I rotate DKIM keys?

Annually or every 2 years. More frequent rotation isn't necessary.

What if DKIM Checker shows errors?

Contact your mail service provider. They manage DKIM configuration.

Can email work without DKIM?

Yes. SPF and DMARC can work without DKIM. But SPF+DKIM together is much more secure.

Is DKIM required for DMARC?

No. DMARC works with SPF alone. But SPF+DKIM is recommended.

Related Documentation

• DNS Health Score - Overall DNS validation
• Third-Party Senders - Configuring services with DKIM
• SPF Builder - Configure SPF alongside DKIM