DKIM Signature CheckerValidate Cryptographic Email Auth

Check DKIM records to verify selector configuration, validate public keys, and ensure proper cryptographic email signature setup.

Recent Searches

🔒History stored locally.
No history

DKIM Signature Validation

DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify email authenticity and integrity. Sending mail servers sign outgoing messages with a private key; receiving servers validate signatures using public keys published in DNS TXT records. Unlike SPF, DKIM survives email forwarding, making it a critical component of email authentication.

How DKIM Works

When your mail server sends an email, it generates a cryptographic signature from selected headers and the message body using a private key. This signature is added to the email as a DKIM-Signature header. The receiving server retrieves the corresponding public key from DNS and uses it to verify the signature.

If the signature validates, it proves two things: the email was authorized by the domain owner (authentication) and the signed headers and body were not modified in transit (integrity). If either check fails, the email may be flagged as suspicious or rejected depending on the receiving server's policies.

DKIM Selectors

DKIM uses selectors to support multiple keys per domain. Selectors are arbitrary names chosen by the domain owner. Common selectors include default, google, k1, and selector1.

Public keys are published at selector._domainkey.example.com. For example, Google Workspace uses google._domainkey.example.com. The selector is specified in the s= tag of the DKIM-Signature header, which tells the receiving server where to find the public key.

DKIM Record Structure

A DKIM TXT record contains tags separated by semicolons. Key tags include v=DKIM1 (version), k=rsa (key type), and p=... (public key in Base64).

Example: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBi...

Optional tags include t=s (strict sender domain check) and g= (granularity of the key). Most implementations only require the version, key type, and public key.

Key Rotation & Security

Rotate DKIM keys annually or when private keys may be compromised. Use 2048-bit RSA keys minimum (1024-bit is deprecated). Multiple selectors enable zero-downtime rotation — publish the new key, update mail server configuration, then remove the old key after emails signed with it have been delivered.

DKIM signatures include a timestamp and optional expiration. This prevents replay attacks where attackers resend old signed messages. Most implementations set 48-72 hour expiration windows.

Store private keys securely and never expose them in version control or logs. If a private key is compromised, generate a new key pair immediately and publish the new public key. Revoke the old key by removing its DNS record.

DKIM vs SPF vs DMARC

SPF verifies the envelope sender (Return-Path) against authorized IP addresses. It breaks when emails are forwarded.

DKIM verifies the message signature against a public key. It survives forwarding because the signature is part of the message headers.

DMARC combines SPF and DKIM results and defines policies for handling failures. It also provides reporting visibility. All three work together — implement them all for complete email authentication.

FAQ

What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorized server and that its content was not altered in transit. The sending server signs the message with a private key, and the receiving server validates the signature using a public key published in DNS.
What key length should I use for DKIM?
Use 2048-bit RSA keys as the minimum standard. 1024-bit keys are considered deprecated and may be rejected by some receiving servers. 4096-bit keys offer stronger security but may cause performance issues with high-volume mail servers. 2048-bit provides the best balance of security and compatibility.
How do I fix DKIM signature verification failures?
Common causes include: incorrect DNS record (wrong selector or missing public key), key mismatch between signing private key and published public key, modified email content after signing, or expired signatures. Verify the selector exists in DNS, confirm the public key matches your mail server's private key, and check that no intermediate systems modify the email body or headers after signing.
What is a DKIM selector?
A DKIM selector is an arbitrary string used to locate the correct public key in DNS. It allows multiple DKIM keys per domain, which is useful when different services send email on your behalf. For example, Google uses selector 'google', Microsoft uses 'selector1' and 'selector2'. The selector is specified in the DKIM-Signature header as the 's=' tag.
How often should I rotate DKIM keys?
Rotate DKIM keys at least annually or immediately if a private key is compromised. Many organizations rotate keys every 6-12 months. To rotate without downtime: generate a new key pair, publish the new public key under a new selector, configure your mail server to sign with the new key, verify the new key works, then remove the old key after 48-72 hours.
Do I need DKIM if I already have DMARC?
Yes. DMARC checks alignment against SPF and DKIM. While DMARC can pass with only SPF, DKIM provides an additional authentication layer that survives email forwarding — SPF often breaks when emails are forwarded because the envelope sender changes, but DKIM signatures remain valid. Implement both for reliable email authentication.