7

Is there any way to find out what selectors are used by a domain in their DKIM record without access to an e-mail send from that domain?

So to clarify, let's say I know example.com has DKIM implemented. I cannot receive an e-mail from example.com as I know no one that works there. Can I still check the existence and validity of the DKIM record even though I do not know the name of the used selector? (or find the selector somehow without e-mail).

Wealot
  • 879
  • 2
  • 12
  • 25

2 Answers2

7

There is no way to detect if DKIM is implemented by the sender without getting a mail from the sender, extracting the selector from the DKIM-Signature header and getting the DKIM policy from DNS based on this selector.

One can check if some commonly used selectors can be found in DNS. But a successful check does not mean that any of these selector actually gets used for signing nor does it mean that the messages gets signed at all. And, no typical selector found does not mean that DKIM is not implemented.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Ok clear thanks. And a little to bad as I was looking around at how people had configured their mailservers :D – Wealot Oct 25 '17 at 09:36
4

This not entirely accure, the answer by Steffen. There are some commonly used selectors that you can try, and in fact could build your own table of possibliites to pass into a program or script to check against.

I recommend trying:

google
dkim
mail
default

For example: dig -t TXT +short google._domainkey.domain.com

Hope that helps someone.

Wanted to add this: should go without saying that if you have the DKIM and no email to compare it against, obviously it's not really of any use. But if all you're interested in is identifying if it's configured, and what the public key might be, go with trying common selectors.

skrap3e
  • 175
  • 7
  • *"This not entirely accure, the answer by Steffen"* - I think what you write in your answer is just an extended but not actually contradicting version of what I already said with *"One can check if some commonly used selectors can be found in DNS."*. Note though that I also said *"But a successful check does not mean that any of these selector actually gets used for signing"* - a point which you are missing. – Steffen Ullrich Jul 02 '22 at 06:31