1

I wondered if there is a way to verify the correctness/validity of DKIM implementations without actually triggering an email event or sending an email to an external validator. So, remotely, on any domain.

I was thinking about fetching the DNS TXT records (DKIM selectors). But I suppose only the most common can be checked, leaving the certainty of the correctness of the DKIM implementation basically still unknown. Assuming that the DNS server is well configured and does not dump the whole zone file including DKIM selectors using an AXFR request.

Secondly, if we actually did see the full DNS configuration, or managed to get the DKIM related DNS records with 100% certainty, would it be possible to check the correctness of that implementation (partly) without triggering an email event.

Long story short: I'm searching for ways to identify and pinpoint possible mistakes in DKIM implementations.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • @schroeder I'm aware of that but you do need to know the used DKIM selectors at that point already, right? That's my point. Assuming we did not get a previous email and cannot trigger an email event. How can we find those selectors in order to use such DKIM checkers? – Bob Ortiz Aug 09 '17 at 21:47
  • Then your question can be boiled down to how to find selectors without inspecting email headers. I do not think this is possible if the DNS server does not dump. What do you mean by 'correctness'? I'm not sure that you can check that without deep knowledge of their design intent (or using the crudeness of a validator). – schroeder Aug 09 '17 at 22:08
  • 1
    This is an interesting question though. I've been poking around with various tools, and I cannot find a way without a dictionary attack on the selector. – schroeder Aug 09 '17 at 22:11

1 Answers1

2

No. Obtaining the public key from DNS gives you only half of the picture. You also need a signature to verify against the public key, and that signature is only going to appear in an actual email. Without a signature you have no idea if the policy domain's MTA is configured to even sign outgoing mail at all, or with the right key, or with the right selector, and so on.

user156523
  • 36
  • 1