Try for free!
We’re hiring! | Login
DMARC knowledge center
Questions about DMARC? Search our docs

Categories

Popular

Recent Posts

DNS, Email authentication

How to validate a DKIM record

Time needed: 2 minutes.

How to validate a DKIM record? Setting up the correct DKIM record is an essential part of your technical settings. This page explains how to check and validate your DKIM record correctly. You can check/validate your DKIM record by using our DKIM record Checker.

  1. Enter ‘Google’ as the Selector

    As an example, we’re using a generated domain key from Google Apps.

    Validate your dkim add selector

  2. Enter your domain name

    Make sure you only fill in the domain name without the subdomain and sub pages. Example: domain.com (and not: https://www.domain.com/page/).

    validate your dkim add domain

  3. The DKIM record is correctly configured when the DKIM Checker shows ‘This is a valid DKIM key record’.

    After entering the ‘selector’ combined with the associated ‘domain’, the DKIM validation tool will show a full list of all the DKIM results of the specified domain.

    Validated DKIM record

  4. If the selector is not valid

    Please troubleshoot the implementation by following the instructions below.The DKIM record is not valid

validate your DKIM record using the DKIM Record Checker

 

Troubleshoot the DKIM record implementation

If the selector is not valid, please check with your hosting provider if the records are entered correctly in your Domain Name Server (DNS).

Using the command-line tool dig in OSX and Linux, you can debug some more to try and figure out what the problem is.

First, we want to make sure the problem is not related to the cache. E.g. when you tried the check before adding or changing the TXT record, the response from your DNS server might have been cached and it could take a couple of hours for the server to display the correct response.

To bypass any cache you can ask your name server directly what records it has.

Use the following command to find out what your nameservers are: dig yourdomain.com NS

[root@server ~]# dig yourdomain.com NS

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> yourdomain.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32320
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yourdomeain.com.			IN	NS

;; ANSWER SECTION:
yourdomain.com.		300	IN	NS	ns1.yourdomain.com.
yourdomain.com.		300	IN	NS	ns2.yourdomain.com.
yourdomain.com.		300	IN	NS	ns3.yourdomain.com.

;; Query time: 31 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Nov 26 16:09:52 2012
;; MSG SIZE  rcvd: 87

The lines in your ANSWER SECTION (highlighted above) are your nameservers.

Now ask a nameserver what records it has available using the command: dig google._domainkey.yourdomain.com TXT @ns1.yourdomain.com

[root@server ~]# dig google._domainkey.yourdomain.com TXT @ns1.yourdomain.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> google._domainkey.yourdomain.com TXT @ns1.yourdomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23736
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google._domainkey.yourdomain.com.	IN	TXT

;; ANSWER SECTION:
google._domainkey.yourdomain.com. 300 IN	TXT	"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxLaG16G4SaEcXVdiIxTg7gKSGbHKQLm30CHib1h9FzS9nkcyvQSyQj1rMFyqC//tft3ohx3nvJl+bGCWxdtLYDSmir9PW54e5CTdxEh8MWRkBO3StF6QG/tAh3aTGDmkqhIJGLb87iHvpmVKqURmEUzJPv5KPJfWLofADI+q9lQIDAQAB"

;; Query time: 1 msec
;; SERVER: 83.96.177.4#53(83.96.177.4)
;; WHEN: Mon Nov 26 16:52:44 2012
;; MSG SIZE  rcvd: 284

You should see your TXT records here. Common mistakes/problems are:

  • It takes some time to save the changes in GUI to the nameserver
    (e.g. In the GUI everything is correct but NS does not return anything/correct values)
  • It takes some time to sync all nameservers with each other.
    (e.g. ns1 returns correct values, but ns2 and/or ns3 does not)
  • Accidentally copied spaces
  • Characters are escaped with an additional \
  • Quotation marks inside the response value
  • Value length is not long enough in the GUI (at least 225 characters)
  • Typos

 
Click here to open the DKIM record Checker.

all information about Domain Keys Identified Mail (DKIM)
read more about DKIM signatures
validate your DKIM record using the DKIM Record Checker