No, it's not possible to query this directly, as there's no such thing as wildcard DNS queries. As you are checking for the best practices, this isn't necessarily a problem.
Current best practice is to have all SPF + DKIM + DMARC. By checking DMARC you can indirectly deduce something about DKIM, too. If the administrator has set up DMARC, he's probably also aware of DKIM.
There's two available methods for getting complete zones, but if you success with either of these, you can already tell that the domain is not following best practices on the DNS setup:
Zone transfers should not be available to anyone. This would give you results, if it is:
dig axfr example.com @ns1.example.com | grep "_domainkey"
DNSSEC Hashed Authenticated Denial of Existence introduced NCES3
/ NSEC3PARAM
to address Zone Walking (RFC 5155). The ldns-walk
would give results if NSEC
is still in use.
ldns-walk example.com | grep "_domainkey"
I don't know the purpose of this validation, but all the cases I could imagine are covered:
If it's for incoming mail, you'd already have the email with or without the DKIM signatures, and the DMARC would tell you whether there should be one, if there isn't. Having the mail with the signatures is also the only way to be sure that DKIM is correctly implemented.
If it's about validating your customers practices before moving forward, the validation form could ask for the selector(s). Again, automating the service by checking actual mail would be easier both for you and your client.