Mimecast DMARC Analyzer

    DKIM Record Check

    Check that your DKIM record is correctly implemented and establishes you as the authorized owner of your email sending domain.
    DKIM Record Checker

    Use the DKIM record checker to validate
    your DKIM records

    DKIM (DomainKeys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of the sending domain. It works together with DMARC.

    You need a valid DKIM record to implement DKIM. The Mimecast DKIM Record Check will use the domain name and selector to check for a valid published DKIM record. Because DKIM authenticates the reputation and identity of the sender, we recommend you carefully test any DKIM record updates before applying them.



    Protected by reCAPTCHA. Google Privacy Policy and Terms of Service apply.

    Your results

    Your DNS record is:

    Your DNS record is:

    Selector

    Your selector is:

    Domain

    Your domain is:

    Full DKIM Record

    Key Length

    Most ESPs use 1024-bit keys by default, but companies like Google use 2048-bit keys. We recommend 1024 or higher.

    We have detected that the key length you use is

    Declared tags

    Tag Value Description

    Defaulted tags

    Tag Value Description
    Tag Value Description
    v DKIM protocol version.
    g * Some organizations assign specific business functions to discrete groups, inside or outside the organization. This key is to authorize that group to sign some mail, but to constrain what signatures they can generate. The DKIM granularity (the 'g=' tag) facilitate this kind of restricted authorization.
    h The 'h=' tag provide a list of mechanisms that can be used to produce a digest of message data. ('sha1' or 'sha256' can be used).
    k The 'k=' tag provide a list of mechanisms that can be used to decode a DKIM signature. ('rsa' is used most often).
    n Notes that might be of interest to a human.
    p Your base64 encoded public key.
    s * The 's=' provides a list of service types to which this selector may apply. ('*' and 'email' are used most often).
    t The 't=' tag provides a list of flags to modify interpretation of the selector. These DKIM Selector Flags for additional flags are optional. ('y' and 's' are often used).
    l 0 Body length limits (in the form of the 'l=' tag) are subject to several potential attacks.
    q The 'q=' tag-spec provides for a list of query methods. ('dns' is used most often)

    Would you like your results emailed to you?

    Thank you.

    Check your email for details on your request.

    Get started with DMARC Analyzer to protect your brand from domain spoofing!

    Gain full visibility into all email senders using your domain to identify legitimate vs. fraudulent senders and block delivery of all unauthenticated mail.

    Frequently Asked Questions

    Explore more details about DMARC Records.

    DKIM part of the DMARC protection

    DMARC only works if SPF and DKIM are set up correctly. Mimecast DMARC Analyzer can be used to generate DMARC reports containing detailed information about who is sending email on your behalf.

    How DKIM authentication works

    With DKIM, the sending server signs an email with a key. This includes the body and a number of important headers, such as From, To, the subject, and the date. This “signature” is added as an extra header so that receiving mail servers can verify it.

    The public part of the key is published in the DNS zone of the sending domain. By using the public key and the signature in the message, the receiving party can verify that the message arrived as it was sent, without modification.

    These keys can be found as TXT records or CNAME records in the form selector._domainkey. Thus, a domain can contain multiple keys. This is useful if there are multiple senders — such as Google Workspace or Microsoft Office 365 — in addition to the regular email with the hosting package.

    How to find a DKIM signature

    When you open an email, right click and select "view source." Search for "DKIM-Signature" to find the DKIM signature applied for your email domain. The DKIM-Signature email header contains an s= tag, and is used as a selector for the receiving server to use for a DKIM record lookup.

    Using the DKIM record checker

    The DKIM checker verifies the presence and validity of a DKIM record. Enter the domain and selector to check the domain’s DKIM record.

    DKIM Selector: The DKIM selector is specified in the header of the DKIM signature and indicates where the public key portion of the DKIM key pair exists in DNS.

    Domain to verify: The domain for which the DKIM record is to be checked.

    Ready to get started?

    See how Mimecast can help your organization Work Protected™

    Back to Top