Smartlead’s DKIM record checker or lookup tool is a free online service that helps you verify the validity and configuration of a DKIM (DomainKeys Identified Mail) record. Think of it like an inspector for your email security system.
Once you enter a DKIM Record in the tool, it will retrieve all the details pertaining to the record as published in its domain’s DNS. The tool then analyzes the record for errors or syntax mistakes that might prevent it from working correctly.
You will get clear feedback on whether the DKIM record is set up properly and can effectively authenticate emails sent from that domain.
A DKIM record, structured as a DNS TXT entry, holds the public key necessary for a receiving mail server to authenticate a message's signature. It encompasses essential details such as name, version, key type, and the actual public key. Typically, this record is provided by the email service provider responsible for sending your emails.
DKIM records follow a specific format. Let's take an example:
Name: selector1._domainkey.example.com
This is the specific identifier for the DKIM record. The _domainkey part is standard, and selector1 typically refers to a specific email source within example.com.
Type: TXT
Indicates the type of DNS record, specifically a text record.
Content: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDd7VxF6wIeE2jWmbSbHLG58mgU3RQo/...
It contains the DKIM public key information, a long string generated during DKIM setup.
TTL (Time To Live): 3600
It specifies how long other DNS servers can cache this record before checking for updates, typically in seconds (1 hour in this example).
Explanation of the terms:
Name: Identifies the DKIM record location using a specific selector for email sources within the domain.
Type: Denotes the record as a text entry in DNS.
Content: Holds the DKIM public key, crucial for verifying email authenticity.
TTL: Defines how long DNS servers should retain this record before refreshing.
Here's how it works:
DKIM (DomainKeys Identified Mail) works by using cryptographic keys to verify the authenticity and integrity of emails sent from a domain. Here’s a simplified explanation of how DKIM works:
Key Generation: The domain owner generates a pair of cryptographic keys: a private key and a corresponding public key. The private key is kept securely by the domain owner, while the public key is published in the domain’s DNS as a DKIM record.
Signing Process: When an email is sent from the domain, the sending server uses the private key to create a unique cryptographic signature (DKIM-Signature header) based on the content of the email, including the header fields.
DNS Lookup: The receiving email server performs a DNS lookup to retrieve the public key associated with the sender’s domain from the DKIM record (e.g., selector._domainkey.example.com).
Signature Verification: Using the public key obtained from DNS, the receiving server decrypts the DKIM-Signature header to obtain a hash value. It then recalculates a hash of the email content it received. If the two hash values match, it confirms that the email was sent by the claimed sender and that the email content has not been altered since it was signed.
Handling Verification Results: If the signature verification succeeds, it indicates that the email is legitimate and has not been tampered with during transit. If the verification fails (i.e., the hash values do not match), it suggests possible tampering or that the email did not originate from the claimed sender, which may lead to the email being flagged as suspicious or rejected.
DKIM helps ensure emails haven't been modified after they are sent. By preventing fraudulent emails from appearing to come from your domain, DKIM safeguards your sender's reputation and improves email deliverability.
A DKIM selector is a subdomain prefix used in DKIM records to specify different keys for signing emails. It allows organisation to manage multiple DKIM keys for different purposes or sources within their domain. Here’s how it works and how you can find yours:
Purpose: A DKIM selector helps identify which public key a receiving mail server should use to verify the signature of an incoming email. This is crucial for domains that send emails from different sources or services.
Format: Typically, DKIM selectors are structured as <selector>._domainkey.<yourdomain> in DNS records. For example, selector1._domainkey.example.com.
Usage: Each selector is associated with a specific DKIM key pair (public and private keys). When you send an email, the private key corresponding to the selector signs the email, and the recipient server verifies it using the public key retrieved from the DKIM record.
To find the DKIM selector for your domain:
Check DNS Records: You need access to your domain's DNS settings. Look for TXT records with names following the pattern <selector>._domainkey.<yourdomain>.
DNS Management Interface: Use your domain registrar or hosting provider's DNS management interface to view existing records. Look for entries starting with <selector>._domainkey.
DKIM Setup Documentation: If you're unsure where to find it, consult the documentation provided by your email service provider or IT department. They typically include instructions on where to locate your DKIM selector and how to set up DKIM records.
Record
Type
Value
Time to live (TTL)
WWW
CNAME
abc.com
3600
Understanding DKIM test results is crucial for ensuring proper email authentication and security. Here’s a breakdown of common DKIM test results and their meanings:
Valid DKIM Record
- Result: The DKIM validation tool successfully retrieves a DKIM record from the domain’s DNS.
- Explanation: This signifies proper DKIM configuration. The tool has accessed the necessary public key for DKIM signature verification, ensuring emails from this domain can be authenticated, thereby enhancing email security and credibility.
Invalid DKIM Record
- Result: The DKIM checker tool finds a DKIM record in the DNS, but it detects issues with the record’s format or completeness.
- Explanation: An invalid DKIM record may lead to verification failures due to problems such as incomplete or incorrectly formatted DNS entries or missing key information. Prompt correction is vital to ensuring DKIM functions correctly.
No DKIM Record Found
- Result: The DKIM test tool cannot locate any DKIM records in the domain’s DNS.
- Explanation: This indicates DKIM has not been implemented for email authentication. While not necessarily problematic, the absence of a DKIM record prevents DKIM signature verification for emails from this domain, potentially impacting email security and trustworthiness.
DKIM Selector Not Found
- Result: The DKIM tester tool finds a DKIM record in the DNS, but the specified selector provided in the query is not found within the record.
- Explanation: The DKIM selector specified should match the one used in the DKIM-Signature header of the email. A mismatch can lead to DKIM signature verification failures. This result suggests a configuration issue where selectors in the DKIM signature and DNS record don’t align.
DKIM Key Mismatch
- Result: The DKIM checker tool retrieves a DKIM record with the correct selector, but the public key within the record doesn’t match the key specified in the DKIM signature header of the email message.
- Explanation: This indicates a mismatch between the public key used to sign the email and the one published in the DKIM record. It could result from a configuration error or potential malicious activity, such as a man-in-the-middle attack. Resolving this issue is critical for ensuring email authenticity and security.
Incomplete Information
- Result: The DKIM verification tool retrieves a DKIM record from the DNS, but the record is missing essential information, such as the public key.
- Explanation: Incomplete DKIM records can lead to DKIM signature verification failures. The domain owner should update the DNS record with the necessary information to ensure proper email authentication and avoid potential issues with email delivery and security.
Valid DKIM Record
Description: A valid DKIM record indicates successful retrieval of the DKIM record from the domain’s DNS.
Action: No immediate action is needed as this confirms proper DKIM configuration.
Invalid DKIM Record
Description: An invalid DKIM record suggests issues with the format, completeness, or correctness of the DKIM record in the DNS.
Actions:
- Verify the DKIM record format and ensure all required fields (like public key) are correctly entered.
- Correct any formatting errors or missing information in the DKIM record.
- After updating, use a Smartlead DKIM checker tool to verify if the issues have been resolved.
No DKIM Record Found
Description: If no DKIM record is found in the DNS, DKIM verification cannot be performed for emails from this domain.
Actions:
- Set up a DKIM record in your DNS settings. Consult your email service provider or IT department for guidance.
- After setting up DKIM, use a DKIM lookup tool to ensure the record is correctly published and retrievable.
DKIM Selector Not Found
Description: This error occurs when the DKIM selector specified in the email’s DKIM-Signature header does not match the selector found in the DKIM record in DNS.
Actions:
- Check Selector Configuration: Ensure the DKIM selector in your email server settings matches the DKIM record selector in DNS.
- Update Configuration: Adjust your DKIM configuration settings to align with the correct selector.
DKIM Key Mismatch
Description: A DKIM key mismatch indicates that the public key retrieved from the DKIM record in DNS does not match the key used to sign the DKIM signature in the email header.
Actions:
- Ensure the correct DKIM key pair (public and private keys) is being used and that they match your DNS and email server configurations.
- If necessary, regenerate and update the DKIM key pair, then update the DKIM record in DNS accordingly.
Incomplete DKIM Record
Description: An incomplete DKIM record lacks essential information, such as the public key, which can lead to verification failures.
Actions:
- Check the DKIM record in DNS to ensure all required fields (especially the public key) are correctly entered.
- Update the DKIM record in DNS with the necessary information to complete the record.
Additional Tips:
- Use Smartlead DKIM Checker Tools: Regularly use DKIM checker tool to verify DKIM records and diagnose any issues promptly.
- Documentation: Refer to documentation provided by your email service provider or IT department for specific DKIM setup instructions and troubleshooting guidelines.
- Monitor Email Deliverability: Keep an eye on email deliverability metrics to detect any DKIM-related issues affecting email delivery.
SPF checks authorized email senders based on IP addresses. DKIM verifies the email content hasn't been tampered with using digital signatures.
While each offers distinct benefits, using both SPF and DKIM provides a more robust email authentication system.
The technical setup might require some expertise. However, many email service providers offer user-friendly interfaces or instructions for configuring DKIM records.
There could be a few reasons for this:
• Incorrect Configuration: Double-check your DKIM record for any typos or errors in syntax.
• Propagation Delay: Changes to DNS can take some time to propagate across the Internet. Be patient after making edits to your DKIM record.
• Third-Party Sending Services: If you use a third-party service to send emails on your behalf, ensure their configuration aligns with your DKIM record.
If you're still facing issues after addressing these potential causes, consider getting in touch with your email service or hosting provider.
DKIM enhances email security by verifying the authenticity of the sender and ensuring email integrity. It helps protect against phishing and spoofing attacks, improves deliverability, and safeguards your domain's reputation.
Your DKIM public key is stored in a DKIM record published in your domain's DNS settings. Look for a TXT record named <selector>._domainkey.yourdomain.com.
Address failed DKIM records by reviewing DNS entries for errors or mismatches in DKIM selectors or keys. Correct any discrepancies and update the DKIM record accordingly to ensure proper email authentication.
Yes, it's recommended to have separate DKIM records for each subdomain. This practice maintains email security and allows distinct email sources within your domain to be authenticated individually.
Yes, Smartlead’s DKIM record lookup tool can track DKIM configuration changes and verify DKIM records regularly. This helps ensure ongoing email authentication integrity and identifies any issues promptly.
Common mistakes include incorrect DKIM record formatting, mismatched selectors or keys, incomplete DNS entries, and failing to update records after key rotation. Careful setup and regular monitoring mitigate these issues.
Manually look up DKIM records by accessing your domain’s DNS settings through your DNS provider or hosting platform. Search for TXT records named <selector>._domainkey.yourdomain.com.
Check your DKIM record by querying your domain’s DNS for a TXT record named <selector>._domainkey.yourdomain.com. Ensure it contains the correct DKIM public key and other necessary details.
There is no strict limit to the number of DKIM records you can have, but each should correspond to a unique selector and key pair. Use separate DKIM records for different email sources or subdomains within your organization for optimal security and authentication.