• Contact Us
  • Pricing
  • Search
  • Register
  • Login
  • DNS Tools
    • MX Records
    • A Records
    • CNAME Record
    • PTR Record
    • SPF/TXT Records
    • NS Records
  • Domain Tools
    • ARIN Records
    • WHOIS Records
  • Blacklists
    • Blacklist Checker
    • Whitelist Checker
    • Email Blacklist Removal Tool
  • Email Tools
  • Port Scans
  • Other Tools
    • IP Tools
      • IP Address Converter
      • IP Address Locator
      • IP Range To CIDR
    • Chrome Extension - Email Deliverability Checker
    • 3D Trace Route
  • Blog
    • First Time Sender
      • Email Certification
      • Email Throttling
      • IP Warming
    • Formatting Emails
      • For Browsers
      • For Devices
      • For Email Clients
    • How To Avoid
    • How To Set Up
    • Mail Tester Guide
      • Email Headers Explained
      • MX Records, PTR Records, and Reverse PTR Records AKA rDNS
      • RFC Syntax Checking
      • Email Port Checks
      • SPF Record and Alignment
      • DKIM Signatures and Alignment
      • DMARC Validation
      • Mail Tester Test Tool
    • Measuring Peformance
      • Bounces
      • Clickthrough Rates
      • Open Rates
    • Related Resources
      • Abuse Contacts
      • Common Ports
      • DMARC and the Contact Us Form
      • Email Identifier
      • Email Headers
      • Email Statistics
      • How Email Works
      • How to Treat Spammers
      • Securing Your Server
    • Rules to Follow
      • Can Spam Act
      • Postmaster Guidelines
  • Member Services
    • Members Area
    • Community Forums
    • Blacklist Monitoring
    • Bulk Email Validation Tool
    • Complete Monitoring Solution
    • Domain Name Monitoring
    • Feedback Loop Submissions
    • Full Port Scan Monitoring
    • Mail Tester Pro Tool
    • Mail Miner
    • Spam Detector Toolbox
    • Trusted Sender Site Seal

Mail Tester
DKIM Signatures and Alignment


DKIM or Domain Keys Identified Mail is a mechanism that email service providers use to prevent tapering or altercation of sent emails. When you sign your emails with DKIM, you encrypt the data from various Header Fields that your define and produce a hash value, using your private key. The receiving email then takes those same fields and uses your public key that you have stored in DNS and does the same encryption and if they match, then the email wasn't tampered with.  The private key/public key is a keypair that will produce same hash. If the email was altered the hash won't match.

DKIM is complicated, it's something that you need to enable on your mailserver, or install a plug-in to do the DKIM Signing for you. It's so complicated that many vendors that write DKIM Verficiation software often has mistakes in how they validate the signatures. Mail Tester uses 4 different independant DKIM validators to validate your DKIM Record. If anyone of them fails it's marked as a critical error. If you don't have an DKIM Signature it's marked as a critical error. If you DKIM length is over 512 characters it will be marked as a critical error. 

When signing DKIM you shouldn't use repeatable header fields, Mail Tester will flag this as a critical error, they FROM field is required as 1 of the headers to be used in signing DKIM. If it's not used, it will be flagged as a critical error. Your DKIM KeySize must be 1024 or greater, if it's not it will be flagged as a critical error.

Resources: DKIM Signature
Tools: DKIM Wizard

DKIM Email Identifier Alignment compares the d= Tag in your DKIM Signature to your 5322.FROM, if they match exactly they are in strict alignment. If they match on the root domain only, they are in relaxed alignment. If they don't match, they are unaligned. This becomes important when setting up your DMARC Record.
 
Read out next blog in the Mail Tester Series: Mail Tester - DMARC Validation

The Mail Tester Pro Report - DKIM Section

Public Domain Key
Selector Location: Click Here: secure._domainkey.unlocktheinbox.com
DNS Record Found: Yes
Record Syntax: k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSFbcDPNOPcrg28a7m6RTH/BheXoR9R8kxtUIZ2CB9NeF+sF+mMP09PoXJdQe/9iu4+tPgotjNDUyWSgbawCWOps+i3mnVUdi/ZBF8aKltv0uTx0lRIdA17lMr6tci4tY/+n2piNaUequvDrPFAIPcDsDjRh9ivjjG+HZwhoMiYwIDAQAB
Key Size: 1024 bits
Record Length: 224 Bytes

DKIM Validation Check
Signature Found: Yes
SmarterMail DKIM Test: Passed
MailBee.Net DKIM Test: Passed
LimiLabs DKIM Test: Passed
SpamAssassin DKIM Test: Passed

Publication: RFC 4870
Domain Keys Additional Information
Tag Value
Key Algorithm: a=rsa-sha1
Query Method: q=dns
Canonicalization: c=nofws
Selector: s=default
Domain Name: d=unlocktheinbox.com
Signed Headers: h=Message-ID:Date:Subject:From:To:User-Agent:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:Importance
Signature Data: b=dSMhrkgARCXZqVdkDq/1/irPFgXoAUllgC0elg5PUAMsWHp8y
Q9sqJERhAlJvrlJ49Mp8cfba6oYCAGpiP0uP0c3TASDsRvpMOjP+
aQBOri2A/ic2UDQ2LALXJn0QoUs

Public DKIM Key
Selector Location: Click Here: secure._domainkey.unlocktheinbox.com
DNS Record Found: Yes
Record Syntax: k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSFbcDPNOPcrg28a7m6RTH/BheXoR9R8kxtUIZ2CB9NeF+sF+mMP09PoXJdQe/9iu4+tPgotjNDUyWSgbawCWOps+i3mnVUdi/ZBF8aKltv0uTx0lRIdA17lMr6tci4tY/+n2piNaUequvDrPFAIPcDsDjRh9ivjjG+HZwhoMiYwIDAQAB
Key Size: 1024 bits
Record Length: 224 Bytes

DKIM RFC Check
From Signed: Yes
Restricted Headers Signed: No
Key Algorithm: Passed
Canonicalization Syntax: Passed

Information : Identifier Alignments
DKIM Alignment Test (Used in DMARC ADKIM Test)
DKIM d= Tag: unlocktheinbox.com
From Domain: unlocktheinbox.com
DKIM Identifier Alignment: Strict
Copyright © 2017 Unlock The Inbox