Domain.Posture

dkim lookup

probe common DKIM selectors for a domain and surface the public-key TXT record. part of the domainposture.com domain dossier.

resolving…

Overview

dkim (RFC 6376) signs outgoing mail with a per-sender private key; receivers verify by fetching the matching public key at `<selector>._domainkey.<domain>`. unlike spf or dmarc, dkim has no canonical record location — each sender picks its own `selector` label, and the selector in use is announced per-message via the `DKIM-Signature: s=...` header tag. there is no public-dns api to enumerate a domain's selectors, so this tool probes a fixed list of common defaults in parallel: `default`, `google` (google workspace / gmail), `k1` (mailchimp / mandrill), `selector1` and `selector2` (microsoft 365 rotate between them), and `mxvault` (mxroute). each probe is a TXT doh lookup; a selector is reported as `found` if the record starts with `v=DKIM1` or with a bare `p=` (RFC 8301 minimum marker). supply `selectors=[...]` to the `dossier_dkim` MCP tool to override the defaults.

How to use

  1. enter a bare domainpublic fqdn only. no schemes, ports, paths.
  2. run the checksix TXT doh queries fire in parallel, one per default selector at `<selector>._domainkey.<domain>`.
  3. read the selector tableeach probed selector appears as a row: `found` with the record, or `not_found` with a dash. a domain typically publishes one or two selectors.
  4. find an unlisted selectorinspect a recently received email from the domain. the `DKIM-Signature:` header contains a `s=...` tag naming the selector actually in use — pass it via the MCP tool's `selectors` argument.

Examples

example 1 — google workspace publishes a single `google` selector at the apex.
input
gmail.com
output
google - v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG... - other probed selectors not_found
example 2 — mailchimp signs with the `k1` selector across every customer domain.
input
mailchimp.com
output
k1 - v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN... - other probed selectors not_found

Common mistakes

  • no public-dns enumeration dns cannot list a domain's selectors. this tool probes a fixed common set — if a sender uses a bespoke selector (e.g. `20230601`, `s1024`, `smtpapi`), the default probe will report `not_found` for every slot even though dkim is fully configured. always cross-check against a real message's `DKIM-Signature: s=` tag before concluding dkim is missing.
  • key rotation leaves old selectors behind senders rotate keys by publishing a new selector and cutting traffic over. the old selector's TXT record often lingers for months so in-flight mail can still verify. seeing two selectors `found` usually means a rotation is in progress, not a misconfiguration.
  • selectors frequently point at CNAMEs a domain delegating mail to a provider (google workspace, sendgrid, mailchimp) typically publishes the `<selector>._domainkey` label as a CNAME into the provider's zone, not a direct TXT. doh resolvers follow the CNAME transparently, so this tool just sees the final TXT — but the control of the key lives with the provider, not the domain owner.

FAQ

why these six selectors?

they cover the largest mail platforms by volume: `default` (generic fallback), `google` (google workspace / gmail), `k1` (mailchimp / mandrill), `selector1` + `selector2` (microsoft 365, which rotates between the two), and `mxvault` (mxroute). a domain that uses any other sender will likely come back all-`not_found` — that's expected.

can i supply a selector?

yes. the `dossier_dkim` MCP tool accepts `selectors=[...]`. pass the exact selector name you want to probe and only those labels are queried. the web ui probes the default set; use the mcp endpoint for custom probes.

what does `found` actually require?

a TXT record at `<selector>._domainkey.<domain>` whose value starts with `v=DKIM1` or contains a `p=` tag (the public-key marker). RFC 8301 permits omitting `v=DKIM1` on records that only carry the key, so we accept a bare `p=` prefix as well.

what does `not_found` mean — no record, or no dkim?

only that this specific selector has no TXT at the expected label. absence across all six common selectors is not proof dkim is missing — see the first gotcha about bespoke selector names.

why is this slower than spf/dmarc?

it fires six doh queries instead of one. they run in parallel under a single 5-second abort controller, so the wall-clock cost is close to a single query when the resolver is responsive.

what is dkim?

dkim (domainkeys identified mail) adds a cryptographic signature to outgoing email. the sender signs each message with a private key; receivers fetch the matching public key from `<selector>._domainkey.<domain>` in dns and verify it, proving the message wasn't altered and really came from the domain. it is one of the two checks dmarc relies on.

how do i check a domain's dkim record?

dkim has no fixed location — each sender picks its own selector label — so this tool probes common defaults (`google`, `selector1`, `selector2`, `k1`, `default`, `mxvault`) in parallel. to find a selector it misses, read the `s=` tag in a real message's `DKIM-Signature:` header and query that directly.

How do I fix a DKIM alignment failure?

DKIM can pass while DMARC still fails when the signing domain (the d value in the signature) does not match your From domain. fix it by signing with a key on your own domain, most ESPs offer branded or aligned DKIM where you publish CNAMEs they provide so the d value becomes your domain. relaxed alignment also accepts a subdomain of your domain.

DKIM 1024-bit vs 2048-bit: which key length should I use?

use 2048-bit. it is the modern standard and many providers now distrust 1024-bit as too weak. the only historical reason to pick 1024 was the DNS TXT size limit, which you solve by splitting the key into multiple quoted strings in one record rather than weakening the key.

What does 'DKIM selector not found' or 'no DKIM record found' mean?

the verifier looked up selector._domainkey.yourdomain (the selector comes from the s tag in the message's DKIM-Signature) and found no TXT record there. causes: the public key was never published, it sits at the wrong selector name, or DNS has not propagated. publish the exact selector your mail platform signs with.

how do i find my dkim selector?

dns cannot list a domain's selectors, so the reliable way is to open a real email you sent and read the DKIM-Signature header: the s tag names the selector in use and the d tag names the signing domain. then query that selector._domainkey.yourdomain in dns. your mail platform's setup docs also state which selector it signs with.

can one domain publish multiple dkim keys at once?

yes, and it is common. each key lives at its own selector._domainkey label, so a domain can run several at once, one per sending platform plus an old and a new selector during key rotation. each outgoing message names the selector it was signed with via the s tag, so receivers always fetch the matching key.

Related tools

  • dns lookup resolve A, AAAA, MX, TXT, NS, or CNAME records via Cloudflare DoH.
  • dns records lookup resolve A, AAAA, NS, SOA, CAA, and TXT records for a domain in one go.
  • spf checker find and parse a domain's SPF (sender policy framework) record.
  • dmarc checker find and parse a domain's DMARC policy record at _dmarc.<domain>.

References

  1. RFC 6376 — DKIM Signatures
  2. RFC 8301 — DKIM Cryptographic Algorithms
ad slot · tool-dkim-lookup