DKIM Validator

Why validate DKIM syntax before publishing?

You've just generated a new DKIM key pair or copied a record from your email provider. Before publishing it to your DNS zone, a syntax error can break everything: missing tag, truncated key, misplaced quotes.

The DKIM syntax checker analyzes your value locally - without DNS queries - to detect these issues before they impact your deliverability.

Three main use cases:

• New DKIM setup: Validate the public key generated by your server or ESP before adding it to DNS
• Provider migration: Verify that the copied value is complete and correctly formatted
• Key rotation: Ensure the new selector is ready before replacing the old one

How to use the checker in 3 steps

Step 1: Get the DKIM value

Copy the DKIM record value from:

• Your mail server (Postfix, Exchange, etc.)
• Your ESP (Google Workspace, Microsoft 365, Mailchimp, SendGrid...)
• An online DKIM key generator

Expected format:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Step 2: Paste into the checker

Paste the complete value in the field above. The tool instantly analyzes:

• ✅ Presence of mandatory tags (v, k, p)
• ✅ Public key format (valid base64)
• ✅ Separator and value syntax
• ✅ Key length and type (RSA 2048+ bits recommended)

Step 3: Fix and publish

The report indicates:

• Errors (red): Record is unusable - fix before publishing
• Warnings (orange): Technically valid but risky - evaluate
• Success (green): Ready to publish to your DNS zone

What is a DKIM record?

A DKIM record (DomainKeys Identified Mail) is a TXT record published in your DNS zone. It contains the public key that allows receiving servers to verify the cryptographic signature of your emails.

DKIM record anatomy:

Complete example:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5oI...

Common syntax errors

The checker automatically detects these common issues:

1. Truncated public key

Symptom: Error invalid_p_base64 or public_key_parse_error

Cause: The key was cut during copy-paste (character limit, line break mishandling).

Solution: Retrieve the complete key from the source. A 2048-bit RSA key is approximately 400 base64 characters.

2. Residual quotes

Symptom: Error record_trailing_quote or invalid_tag_syntax

Cause: The copied value contains quotes (") or typographic quotes ("").

Solution: Remove all quotes before pasting the value.

3. Missing version tag

Symptom: Error missing_version_tag

Cause: The record doesn't start with v=DKIM1.

Solution: Add v=DKIM1; at the beginning of the record.

4. RSA key too short

Symptom: Warning weak_key_length

Cause: RSA key shorter than 2048 bits (often 1024 bits).

Solution: Generate a new key pair with at least 2048 bits.

5. Incorrect separators

Symptom: Error invalid_tag_syntax

Cause: Multiple semicolons (;;), misplaced spaces, or special characters.

Solution: Use a single ; between each tag, without space before the separator.

Difference between syntax check and DNS inspection

Recommended workflow:

1. Syntax: Validate the value with this checker
2. Publish: Add the TXT record to your DNS zone
3. Inspect: Use the DKIM Inspector to confirm propagation

DKIM best practices

Key generation

• Use RSA 2048 bits minimum (4096 bits for maximum security)
• Ed25519 is emerging but remains poorly supported by receivers
• Store the private key securely (never in DNS!)

Selector naming

• Choose a short and unique name: google, mailchimp, s1, 2024
• The complete selector will be: selector._domainkey.captaindns.com
• Use different names per provider to facilitate rotations

Recommended TTL

• 300-600 seconds during deployment (fast propagation)
• 3600-86400 seconds once stable (fewer DNS queries)
• Short TTL facilitates emergency revocations

Regular rotation

• Plan annual rotation minimum
• Document the owner and last rotation date
• Keep the old selector for a few days after rotation

FAQ - Frequently asked questions

Q: What's the difference between this checker and the DKIM inspector?

A: The syntax checker analyzes a value you paste to detect format errors before publishing. The record inspector performs a real DNS query to verify a record already published. Use syntax first, inspector second.

Q: Why is my key marked as "too short"?

A: RSA keys shorter than 2048 bits are considered weak. Gmail and other providers may reject signatures with 1024-bit keys. Generate a new key pair with at least 2048 bits.

Q: Should I include quotes in the value?

A: No. Quotes are sometimes added by DNS management interfaces to delimit long strings, but they are not part of the DKIM value itself. Remove them before validating.

Q: My ESP says DKIM is configured, but syntax fails here. Why?

A: ESPs often validate their internal configuration, not necessarily what you copied. Verify that you copied the complete value without truncation, and without encapsulation quotes.

Q: Is Ed25519 supported?

A: Yes, the checker recognizes Ed25519 keys (k=ed25519). However, receiver-side support remains limited. RSA 2048 bits remains the most compatible choice.

Q: How do I know which selector to use?

A: The selector is chosen when configuring DKIM on your server or ESP. Check your provider's documentation. Common selectors include: google, selector1, selector2, s1, default, mail.

Complementary tools

Useful resources

• RFC 6376 - DKIM Signatures (official DKIM specification)
• Google - Set up DKIM (Google Workspace guide)
• Microsoft - DKIM in Exchange Online (Microsoft 365 guide)