How to validate a DKIM record

How to validate a DKIM record? Setting up the correct DKIM record is an essential part of your technical settings. This page explains how to check and validate your DKIM record correctly.

You can check/validate your DKIM record by using our DKIM record Checker

How to validate a DKIM record using the DMARC Analyzer – DKIM record Checker?
As an example, we’re using a generated domain key from Google Apps.

Click here to open the DKIM record Checker.
Enter ‘Google’ as the Selector, and enter your own domain name as domain and press ‘Validate DKIM’.

After entering the ‘selector’ combined with the associated ‘domain’, the DKIM validation tool will show a full list of all the DKIM results of the specified domain. The DKIM record is correctly configured when the DKIM Checker shows ‘This is a valid DKIM key record’.

DKIM record checker - DMARC Analyzer

If the selector is not valid, please check with your hosting provider if the records are entered correctly in your Domain Name Server (DNS).

Using the command-line tool dig in OSX and Linux, you can debug some more to try and figure out what the problem is.

First, we want to make sure the problem is not related to the cache. E.g. when you tried the check before adding or changing the TXT record, the response from your DNS server might have been cached and it could take a couple of hours for the server to display the correct response.

To bypass any cache you can ask your name server directly what records it has.

Use the following command to find out what your nameservers are: dig yourdomain.com NS

[root@server ~]# dig yourdomain.com NS

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> yourdomain.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32320
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yourdomeain.com.			IN	NS

;; ANSWER SECTION:
yourdomain.com.		300	IN	NS	ns1.yourdomain.com.
yourdomain.com.		300	IN	NS	ns2.yourdomain.com.
yourdomain.com.		300	IN	NS	ns3.yourdomain.com.

;; Query time: 31 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Nov 26 16:09:52 2012
;; MSG SIZE  rcvd: 87

The lines in your ANSWER SECTION (highlighted above) are your nameservers.

Now ask a nameserver what records it has available using the command: dig google._domainkey.yourdomain.com TXT @ns1.yourdomain.com

[root@server ~]# dig google._domainkey.yourdomain.com TXT @ns1.yourdomain.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> google._domainkey.yourdomain.com TXT @ns1.yourdomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23736
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google._domainkey.yourdomain.com.	IN	TXT

;; ANSWER SECTION:
google._domainkey.yourdomain.com. 300 IN	TXT	"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxLaG16G4SaEcXVdiIxTg7gKSGbHKQLm30CHib1h9FzS9nkcyvQSyQj1rMFyqC//tft3ohx3nvJl+bGCWxdtLYDSmir9PW54e5CTdxEh8MWRkBO3StF6QG/tAh3aTGDmkqhIJGLb87iHvpmVKqURmEUzJPv5KPJfWLofADI+q9lQIDAQAB"

;; Query time: 1 msec
;; SERVER: 83.96.177.4#53(83.96.177.4)
;; WHEN: Mon Nov 26 16:52:44 2012
;; MSG SIZE  rcvd: 284

You should see your TXT records here. Common mistakes/problems are:

  • It takes some time to save the changes in GUI to the nameserver
    (e.g. In the GUI everything is correct but NS does not return anything/correct values)
  • It takes some time to sync all nameservers with each other.
    (e.g. ns1 returns correct values, but ns2 and/or ns3 does not)
  • Accidentally copied spaces
  • Characters are escaped with an additional \
  • Quotation marks inside the response value
  • Value length is not long enough in the GUI (at least 225 characters)
  • Typos

Click here to open the DKIM record Checker.