Are they using DKIM?

It’s easy to tell if a domain is using SPF – look up the TXT record for the domain and see if any of them begin with “v=spf1”. If one does, they’re using SPF. If none do, they’re not. (If more than one does? They’re publishing invalid SPF.)

AOL are publishing SPF. Geocities aren’t.

For DKIM it’s harder, as a DKIM key isn’t published at a well-known place in DNS. Instead, each signed email includes a “selector” and you look up a record by combining that selector with the fixed string “._domainkey.” and the domain.

If you have DKIM-signed mail from them then you can find the selector (s=) in the DKIM-Signature header and look up the key. For example, Amazon are using a selector of “taugkdi5ljtmsua4uibbmo5mda3r2q3v”, so I can look up TXT records for ““, see that there’s a TXT record returned and know there’s a DKIM key.

That’s a particularly obscure selector, probably one they’re using to track DKIM lookups to the user the mail was sent to, but even if a company is using a selector like “jun2016” you’re unlikely to be able to guess it.

But there’s a detail in the DNS spec that says that if a hostname exists, meaning it’s in DNS, then all the hostnames “above” it in the DNS tree also exist (even if there are no DNS records for them). So if anything, exists in DNS, so does And, conversely, if doesn’t exist, no subdomain of it exists either.

What does it mean for a hostname to exist in DNS? That’s defined by the two most common responses you get to a DNS query.

One is “NOERROR” – it means that the hostname you asked about exists, even if there are no resource records returned for the particular record type you asked about.

The other is “NXDOMAIN” – it means that the hostname you asked about doesn’t exist, for any record type.

So if you look up you’ll see a “NOERROR” response, and know that AOL have published DKIM public keys and so are probably using DKIM.

(This is where Steve tries to find a domain that isn’t publishing DKIM keys … Ah! Al’s blog!)

If you look up you’ll see an “NXDOMAIN” response, so you know Al isn’t publishing any DKIM public keys, so isn’t sending any DKIM signed mail using that domain.

This isn’t 100% reliable, unfortunately. Some nameservers will (wrongly) return an NXDOMAIN even if there are subdomains, so you might sometimes get an NXDOMAIN even for a domain that is publishing DKIM. shrug

Sometimes you’ll see an actual TXT record in response – e.g. Yahoo or EBay – that’s detritus left over from the days of DomainKeys, a DomainKeys policy record, and it means nothing today.


  1. Denny Watson says

    Also wildcards… might exist, but don’t actually mean anything.

  2. steve says

    Derp. That’d be the “isn’t 100% reliable”. ¯\_(ツ)_/¯


Your email address will not be published. Required fields are marked *