Look up DKIM public keys by selector, verify key sizes against RFC 8301, and check algorithm compliance.
DomainKeys Identified Mail (DKIM) is an email authentication protocol
defined in RFC 6376. It allows a sending mail server to cryptographically sign outgoing
messages using a private key. The corresponding public key is published in
a DNS TXT record at <selector>._domainkey.<domain>. Receiving servers retrieve the public key, verify the signature, and
confirm the message was not altered in transit.
RFC 8301 updated cryptographic requirements: RSA keys must be at least 1024 bits (2048
recommended), and the rsa-sha1 algorithm is prohibited. RFC 8463 added support for Ed25519-SHA256, which provides strong security with much
smaller keys (256 bits).
Common issues include using the wrong selector, expired or rotated keys,
keys shorter than 1024 bits, and leaving the t=y testing flag on
in production. Each provider uses its own selector -- check the s= tag in the DKIM-Signature email header to find the correct one.
| Tag | Required | Description |
|---|---|---|
v | Recommended | Version. Must be DKIM1 if present. |
p | Yes | Base64-encoded public key. Empty value means revoked. |
k | No |
Key type: rsa (default) or ed25519.
|
h | No | Acceptable hash algorithms (e.g. sha256). |
s | No |
Service type: * (all, default) or email.
|
t | No |
Flags: y = testing, s = strict alignment.
|
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free