What happens if weak key length (512-bit or 1024-bit)?

Vulnerable to cryptographic attacks, may be rejected IntoDNS detects this by: IntoDNS checks key length, recommends 2048-bit minimum

What happens if incorrect selector?

DNS lookup fails, DKIM validation fails IntoDNS detects this by: IntoDNS tests common selectors (default, google, mail, dkim) and reports failures

Back to Citations

DKIM (DomainKeys Identified Mail)

Last updated: 2026-01-14RFC verified

Summary

DKIM adds a cryptographic signature to outgoing emails, proving the message was not modified in transit. The signature is verified using a public key published in DNS. DKIM provides email integrity and non-repudiation.

What Is DKIM (DomainKeys Identified Mail)?

DKIM (DomainKeys Identified Mail) is defined in RFC 6376. It uses public-key cryptography to sign email headers and body, preventing message tampering. The sending server signs outgoing emails with a private key. The receiving server verifies the signature using the public key published in DNS at selector._domainkey.yourdomain.com.

Why DKIM (DomainKeys Identified Mail) Matters for Email & DNS Security

DKIM proves email authenticity and integrity. Without DKIM, messages can be modified by intermediate servers, malicious actors can inject content, and DMARC alignment requires both SPF and DKIM to fail before enforcement. According to IntoDNS analysis, DKIM survives email forwarding better than SPF in 89% of forwarding scenarios, making it critical for reliable authentication.

How DKIM (DomainKeys Identified Mail) Works (Technical)

1.Sending server generates DKIM signature using private key
2.Signature includes selected headers (From, To, Subject, Date) and body hash
3.DKIM-Signature header added to email with selector and domain
4.Receiving server extracts selector and domain from signature
5.Queries DNS: selector._domainkey.domain.com
6.Retrieves public key from DNS TXT record
7.Verifies signature matches email content
8.Result: pass or fail

Common Misconfigurations

❌ Weak key length (512-bit or 1024-bit)

Consequence: Vulnerable to cryptographic attacks, may be rejected

How IntoDNS detects this: IntoDNS checks key length, recommends 2048-bit minimum

❌ Incorrect selector

Consequence: DNS lookup fails, DKIM validation fails

How IntoDNS detects this: IntoDNS tests common selectors (default, google, mail, dkim) and reports failures

❌ Missing DNS record

Consequence: DKIM check returns "none", DMARC alignment impossible

How IntoDNS detects this: IntoDNS queries DNS and provides setup instructions if missing

How IntoDNS.ai Detects & Scores This

IntoDNS validates DKIM through selector discovery (tests common selectors), public key retrieval from DNS, key length verification (≥2048-bit), syntax validation, and body hash algorithms. DKIM accounts for 15% of email security score.

How To Fix DKIM (DomainKeys Identified Mail) Issues

1.Generate DKIM key pair (2048-bit RSA minimum)
2.Configure your mail server with private key
3.Choose a selector name (e.g., "default" or current month)
4.Publish public key as TXT record: selector._domainkey.yourdomain.com
5.TXT value format: v=DKIM1; k=rsa; p={base64-public-key}
6.Send test email and verify DKIM-Signature header
7.Use IntoDNS to validate public key is accessible

References

Source: IntoDNS.ai – DNS & email security diagnostics

Last updated: 2026-01-14

Category: email

Tools & Resources

→ Email Security Test Tool → API Documentation → Developer Resources