Passive Verification of DKIM Implementations
Is there a passive way to verify DKIM implementations (on DNS level) without triggering an actual email event?
I wondered if there is a way to verify the correctness/validity of DKIM implementations without actually triggering an email event or sending an email to an external validator. So, remotely, on any domain.
I was thinking about fetching the DNS TXT records (DKIM selectors). But I suppose only the most common can be checked, leaving the certainty of the correctness of the DKIM implementation basically still unknown. Assuming that the DNS server is well configured and does not dump the whole zone file including DKIM selectors using an AXFR request.
Secondly, if we actually did see the full DNS configuration, or managed to get the DKIM related DNS records with 100% certainty, would it be possible to check the correctness of that implementation (partly) without triggering an email event.
Long story short: I’m searching for ways to identify and pinpoint possible mistakes in DKIM implementations.
Answer
No. Obtaining the public key from DNS gives you only half of the picture. You also need a signature to verify against the public key, and that signature is only going to appear in an actual email. Without a signature you have no idea if the policy domain’s MTA is configured to even sign outgoing mail at all, or with the right key, or with the right selector, and so on.
}