Is it possible to find a list of all DKIM keys for a domain?

domain-name-system dkim
6,935

Solution 1

No, it's not possible to query this directly, as there's no such thing as wildcard DNS queries. As you are checking for the best practices, this isn't necessarily a problem.

Current best practice is to have all SPF + DKIM + DMARC. By checking DMARC you can indirectly deduce something about DKIM, too. If the administrator has set up DMARC, he's probably also aware of DKIM.

There's two available methods for getting complete zones, but if you success with either of these, you can already tell that the domain is not following best practices on the DNS setup:

  • Zone transfers should not be available to anyone. This would give you results, if it is:

     dig axfr example.com @ns1.example.com | grep "_domainkey"

  • DNSSEC Hashed Authenticated Denial of Existence introduced NCES3 / NSEC3PARAM to address Zone Walking (RFC 5155). The ldns-walk would give results if NSEC is still in use.

     ldns-walk example.com | grep "_domainkey"

I don't know the purpose of this validation, but all the cases I could imagine are covered:

  • If it's for incoming mail, you'd already have the email with or without the DKIM signatures, and the DMARC would tell you whether there should be one, if there isn't. Having the mail with the signatures is also the only way to be sure that DKIM is correctly implemented.

  • If it's about validating your customers practices before moving forward, the validation form could ask for the selector(s). Again, automating the service by checking actual mail would be easier both for you and your client.

Solution 2

to make sure that a domain has at least one DKIM set up (to ensure that the administrator of that domain has done their due diligence)

If you want to do real due diligence request that administrator to send a you an email message from that domain, because the presence of DKIM DNS record alone does not mean that DKIM is actually implemented correctly on their mail servers.

That will give you the selector and a lot of other things you need for a proper check of their setup.
There are many other settings needed for reliable e-mail delivery, please see this canonical Q&A and the linked ones for examples of such things like DMARC, SPF, reverse DNS records, blacklists etc.

Solution 3

Most nameservers don't allow zone transfers to just anyone, meaning if you're not whitelisted, you can't list the records of a zone. Although in some rare cases you can use zone walking if DNSSEC is used along with NSEC, but this is unlikely.

Other than guessing selectors, you don't really have an option other than checking DMARC for DKIM alignment, which may give a likely indication of DKIM being setup too, but this is inconclusive if DMARC wasn't setup either.

Share:
6,935

Related videos on Youtube

Qqwy
Author by

Qqwy

SOreadytohelp I have been on StackOverflow and other StackExchange sister-sites for a long time now, both asking ridiculous questions about very wide variety of subjects, and trying my best to answer questions of others. BY DAY: I am a (mostly web-)developer that writes code and loves the Ruby language, as well as typewriters, clocks and design in general. BY NIGHT: I sleep. Badly. Feel free to reach out to me. Or ask me any questions about anything, and I'll do my best to answer!

Updated on September 18, 2022

Comments

  • Qqwy
    Qqwy almost 2 years

    a DKIM-record is identified by its selector, which might be default, dkim or something else alltogether (and there might be multiple).

    When making sure that an e-mail's content is valid, the DKIM selector that is mentioned in the e-mail can be used to look up {selectorname}._domainkey.{hostname} (e.g: google._domainkey.protodave.com).

    However, when just wanting to make sure that a domain has at least one DKIM set up (to ensure that the administrator of that domain has done their due dilligence), we do not yet have a selector.

    How can we query the DNS without this selector? Is it even possible?

  • Gerrit
    Gerrit about 6 years
    Actually, even with strict dmarc alignment for DKIM, there still is no obligation to use DKIM keys at all, a SPF Pass would be sufficient. It only means that if DKIM is used, then the "d" parameter must match exactly.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

DKIM multiple mail servers
What is wrong in my DKIM setup? I'm getting all fails
How to avoid messages rejection because of DMARC when sent through Gmail alias?
Why do I need to escape ; with \ in a DNS DKIM record?
DKIM FAIL with domain null in GMail
Is it wrong to leave out the "v=DKIM1;" on a DKIM record?
How do I enter a strong (long) DKIM key into DNS?
Find DKIM and DMARC Records?
Remove "via" from emails sent to Gmail from Amazon SES
Domain Key not showing up in DNS query