DKIM Check
developer/v1/security/dkimDiscovers and validates DKIM (DomainKeys Identified Mail, RFC 6376) records by probing 30+ common selectors including Google Workspace, Microsoft 365, Amazon SES, SendGrid, Mailchimp, Postmark, Fastmail, Salesforce, Mimecast, Proofpoint, and more. Analyzes key algorithm (RSA/Ed25519 per RFC 8463), key length (RFC 8301 mandates 1024-bit minimum, 2048-bit recommended), detects revoked keys (empty p= tag), and identifies dual-signing setups. Supports custom selector input for targeted verification.
What It Does
Tests 30+ common DKIM selectors (google, default, selector1, selector2, k1, s1, s2, mail, dkim, zoho, fm1, fm2, fm3, mimecast, proofpoint, mandrill, ses, smtpapi, sf1, sf2, hs1, hs2, pm, etc.) by querying <selector>._domainkey.<domain> TXT records. For each discovered key, validates the DKIM record format (v=DKIM1), identifies the key algorithm (k=rsa or k=ed25519 per RFC 8463), estimates key length (RSA key lengths are estimated from base64-encoded public key size; Ed25519 keys are always exactly 256 bits), parses hash algorithms (h= tag), service type (s= tag), and testing flags (t=y), detects revoked keys (empty p= tag indicating key rotation), warns about multiple DKIM records at the same selector, and identifies dual-signing setups. Returns a security score (0-100) with recommendations for key strength, rotation practices, and migration to Ed25519.
Why It's Useful
DKIM provides cryptographic proof that an email hasn't been modified in transit (RFC 6376). It's required for DMARC alignment and directly impacts email deliverability. RSA 1024-bit keys are now considered weak per RFC 8301 — 2048-bit RSA is the industry standard minimum, with Ed25519 (RFC 8463) as the recommended next-generation algorithm. Google, Yahoo, and Microsoft mandate DKIM signing for bulk senders (5,000+ emails/day) as of 2024-2025. Selector discovery also reveals which email services a domain uses — valuable for security assessments and competitive intelligence.
Use Cases
Email Authentication Setup Verification
After configuring DKIM for a new email service (Microsoft 365, Google Workspace, SendGrid), verify the DNS record is published and properly formatted.
Confirm DKIM is correctly configured before sending production email.
Key Rotation Verification
During DKIM key rotation, verify both old and new keys are published before switching. Confirm old keys are revoked after rotation.
Ensure seamless key rotation without email delivery disruption.
Email Infrastructure Discovery
Discover which email services a domain uses by finding their DKIM selectors (e.g., "google" for Gmail, "selector1" for Microsoft 365, "k1" for Mailchimp).
Map email infrastructure for security assessments or competitive analysis.
Key Strength Assessment
Verify DKIM key lengths meet minimum requirements (RSA 2048-bit recommended by M3AAWG) and identify any legacy 1024-bit keys that need upgrading.
Ensure cryptographic key strength meets current security standards.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check DKIM records forExample: google.com |
selectors | string | Optional | Comma-separated list of custom DKIM selectors to check in addition to common selectors.Example: google,selector1,myapp |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
dkim.found | boolean | Whether any DKIM records were found |
dkim.selectors_checked | array | All selectors that were probed |
dkim.found_selectors | array | Discovered DKIM records with selector, record, key_type (rsa/ed25519), and key_length |
score | number | Security score 0–100 based on key strength and configuration |
grade | string | Letter grade A–F |
recommendations | array | Key strength and configuration recommendations |
Code Examples
curl "https://api.edgedns.dev/v1/security/dkim" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=google.com"const response = await fetch(
'https://api.edgedns.dev/v1/security/dkim?domain=google.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/security/dkim',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'google.com'
}
)
data = response.json()
print(data)Read the full DKIM Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.