How to Check, Test and Validate DKIM Records in DNS is Correct and Valid

As I’ve wrote in the article: “10 Tips for Auditing & Improving Mail Server Performance“, Dkim or Domainkeys  is one feature that can be used to  increase the acceptance rate (eligibility) of email on the destination mail server.

DomainKeys or DKIM signature  basically  allowing good senders to “sign” a message to prove that it really did come from them. This process is obtained by signing  the outgoing mail with a specific code corresponding domain name and identity of the mail server so it is considered valid and convincing as an authorized sender.

Domain Keys Identified Mail (DKIM) is a technology designed to make it difficult or impossible for criminals to steal the identities of legitimate organizations. This authentication technology allows good senders to “sign” a message to prove that it really did come from them..
DKIM originally written as sender authentication protocol developed in order to address the problem of forged email messages. Yahoo! released the DomainKeys specification and Cisco released the Internet Identified Mail specification. Both methods are based on cryptographic message signing. The two efforts have been merged, and the combined specification is known as DomainKeys Identified Mail (DKIM).

mail-serverThe problem is, DKIM is not very easy to set up. We need to setup the mail server  and also add a TXT records into public DNS server. Not all providers provided and authorized us to add or modify TXT records. In some cases, we must create a support ticket so they make the TXT records according to our requirement. If so, how can we check that the TXT records are made is correct?

There are 4 ways that we can do to test DKIM Records in DNS, which is as follows:

  1. By using CLI with the following command : dig namaselector._domainkey.namadomain.tld TXT ex : dig TXT. Belor are an example of the response :
    01.# dig TXT; <<>> DiG 9.7.1-P2 <<>> TXT
    02.;; <span class="l64d1s3br" id="l64d1s3br_4">global options</span>: +cmd
    03.;; Got answer:
    04.;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 63688
    05.;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
    06.; IN TXT;; ANSWER SECTION: 172800 IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ5IZT5e5nvmkotroz5ylTlwU8yEEZ+v/576aI+w6TkbP4XibYxDsWVweXXtVeQQmw8AwYuK5R9b373Xqu+Hv9HNAJoAteKF/qlKcZc5Akhj5B7P1imXaurZkkIBp63yBZyZRralzQYNT3UrVB7M/xONMWXcU9xm7Zv1PzH1Y1OQIDAQAB";; Query time: 85 msec
    08.;; SERVER:
    09.;; WHEN: Mon Dec 5 08:18:00 2011
    10.;; MSG SIZE rcvd: 316
  2. By using web  : Type the name of the selector and the domain name then click the Check button.
  3. By sending a blank email to the following address : or and check the respon.
  4. By sending an email to a Gmail address or Yahoo and see the message headerSigned By as shown  below`

Hopefully this can help to check whether your DKIM  records meets with standard or still require a modification.

Leave a Reply

Your email address will not be published. Required fields are marked *