๐Ÿ“ง DKIM ยท record inspector

Check DomainKeys Identified Mail records โ€” validate email authentication
โ“˜ Common: google, selector1, default, 2023
๐Ÿ“ง
Enter a domain and selector, then click "Check DKIM"
DKIM records help verify email authenticity and prevent spoofing.
๐Ÿ” DKIM = DomainKeys Identified Mail ๐Ÿ“ Format: selector._domainkey.domain.com TXT โšก Using Google DNS over HTTPS

๐Ÿ”‘ Generate DKIM Keys with OpenSSL

Generate a 2048-bit RSA key pair for DKIM:

# 1. Generate private key
openssl genrsa -out dkim-private.pem 2048

# 2. Extract public key (for DNS record)
openssl rsa -in dkim-private.pem -pubout -outform PEM 2>/dev/null | grep -v "BEGIN" | grep -v "END" | tr -d '\n' | awk '{print "p=" $0}'

# 3. Sample DKIM TXT record
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4xUT9...

โšก The public key (p= tag) goes in your DNS TXT record at: selector._domainkey.yourdomain.com

๐Ÿ“Š Key Size Recommendations

Key Size Security DNS Record Size Recommendation
1024-bit โš ๏ธ Weak ~180 chars โŒ Avoid - deprecated
2048-bit โœ… Strong ~350 chars โœ… Recommended
3072-bit ๐Ÿ”’ Very Strong ~500 chars ๐Ÿ‘ For high security

โš ๏ธ Note: DNS TXT records have a 512-byte limit. 4096-bit keys may exceed this limit.

๐Ÿ“‹ DKIM Best Practices (2026)

  • ๐Ÿ”‘
    Use 2048-bit keys minimum
    1024-bit is considered weak and may be rejected by some receivers
  • ๐Ÿ”„
    Rotate keys every 6-12 months
    Generate new keys and update DNS before expiring old ones
  • ๐Ÿ“
    Use multiple selectors
    Maintain at least two selectors for smooth key rotation (e.g., selector1, selector2)
  • โš™๏ธ
    Include all required tags
    v=DKIM1, p=[public key] are mandatory. Add h=sha256 for better security
  • ๐ŸŒ
    Publish DKIM for all sending domains
    Even if you don't send much, it prevents impersonation
  • ๐Ÿ“Š
    Monitor DKIM alignment with DMARC
    Use DMARC reports to ensure your DKIM is being validated

๐Ÿ”ง DKIM Tag Reference

Tag Required Description
v= โœ… Yes Version - must be "DKIM1"
p= โœ… Yes Public key (base64)
k= โŒ No Key type (rsa is default)
h= โŒ No Hash algorithms (sha256 recommended)
s= โŒ No Service type (email is default)
t= โŒ No Flags (y=testing, s=strict)
๐Ÿ”
DKIMvalidator.com

Quick DKIM record lookup

๐Ÿ“จ
Mail Tester

Check your email authentication

๐Ÿ”
DMARCIAN DKIM Inspector

Advanced DKIM validation

๐Ÿ“Š
DKIM Checker

Alternative validation tool

๐Ÿ“š Command Line Tools

# Generate with OpenSSL (Linux/macOS)
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

# Using Python (alternative)
python3 -c "from Crypto.PublicKey import RSA; key = RSA.generate(2048); print(key.export_key().decode()); print(key.publickey().export_key().decode())"