Admin

Testing DKIM

Verify that your DKIM signature is working correctly using built-in DNS checks and external testing services.

Last updated 2026-04-12
  • Step 2 — Verify Outgoing Messages Are Signed
  • Step 3 — Full Authentication Report
  • Troubleshooting

    • Testing DKIM

    After generating your DKIM key and adding the DNS record, you should verify that:

    1. The DNS record has propagated correctly.
    2. Outgoing messages are actually being signed.
    3. The signature passes verification at recipient servers.

    Step 1 — Verify DNS Propagation

    Using the Admin Panel

    Go to Admin → DKIM and click Check DNS next to your domain. Opterius Mail performs a live TXT lookup for mail._domainkey.{domain} and compares the result to the stored public key. A green checkmark means the record is live and correct.

    Using Command-Line Tools

    # dig (most detailed)
dig TXT mail._domainkey.example.com +short

# nslookup
nslookup -type=TXT mail._domainkey.example.com

# host
host -t TXT mail._domainkey.example.com

    Expected output (truncated):

    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

    If the command returns no output or NXDOMAIN, the record has not propagated yet. DNS TTL is typically 5–60 minutes. For records with a low TTL (e.g., 300 seconds), propagation can be nearly instant.

    Using Online DNS Lookup Tools

    • dnschecker.org — checks propagation across global DNS servers simultaneously.
    • mxtoolbox.com/dkim — enter your domain and selector (mail) for a formatted check.

    Step 2 — Verify Outgoing Messages Are Signed

    Send a test message from an account in the domain you configured DKIM for. Check the raw headers of the received message. Look for the DKIM-Signature header:

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=mail; t=1744401600;
  bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
  h=From:To:Subject:Date:Message-ID;
  b=AbCdEf1234...

    Key fields to check:

    Field Expected value
    d= Your domain (example.com)
    s= The selector (mail)
    a= rsa-sha256
    b= A non-empty base64 signature

    If the DKIM-Signature header is absent, signing is not working. See the troubleshooting section below.

    Step 3 — Full Authentication Report

    Port25 Verifier

    Send a message from your domain to check-auth2@verifier.port25.com. You will receive an automated reply with a full authentication report:

    ==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
DMARC check:        pass
SpamAssassin check: ham (score=-4.2)

    A pass result for DKIM confirms end-to-end signing and verification is working.

    Mail Tester

    Go to mail-tester.com, copy the test address shown, and send a test email to it from the domain you are testing. The website gives a score out of 10 and a detailed breakdown including DKIM, SPF, DMARC, and spam score.

    Gmail Headers

    Send a message to a Gmail account. Open it in Gmail, click the three-dot menu → Show original. Gmail shows an authentication summary at the top:

    SPF:        PASS with IP 203.0.113.1
DKIM:       PASS with domain example.com
DMARC:      PASS

    Troubleshooting

    DNS Record Not Found

    • Wait longer — DNS propagation can take up to 48 hours for some registrars (though usually much faster).
    • Check the record name — it must be exactly mail._domainkey.example.com. Some DNS interfaces auto-append the domain; if yours does, enter only mail._domainkey.
    • Check for typos — especially in the p= value. A single character wrong will produce a syntactically valid but cryptographically incorrect record.
    • Multiple TXT records — if the record was added twice with different values, some resolvers return both, causing verification to fail. Remove duplicates.

    Signature Present But Verification Fails

    • Key mismatch — the key was regenerated after the DNS record was added. Regenerate and re-add the DNS record.
    • Wrong domain in d= — the signing configuration refers to the wrong domain.
    • Header canonicalization — verify OpenDKIM is using relaxed/relaxed canonicalization. Strict mode can cause failures with certain MTAs that reformat headers.

    No DKIM-Signature Header in Outgoing Mail

    • OpenDKIM is not running — check systemctl status opendkim.
    • Postfix is not using OpenDKIM — verify Postfix's main.cf includes the milter configuration: 
      smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
    • OpenDKIM key file not found — check the path in KeyTable matches the actual file location on disk.
    • Rspamd DKIM signing enabled but misconfigured — if you use Rspamd for DKIM signing instead of OpenDKIM, check /etc/rspamd/local.d/dkim_signing.conf.

    OpenDKIM Logs

    # Check OpenDKIM logs (usually in mail.log or its own log)
journalctl -u opendkim --since "1 hour ago"

# Or
grep opendkim /var/log/mail.log | tail -20
    Previous
    ← DKIM Signing
    Next
    Spam Filtering →