DKIM Discovery Process

Standard tools often miss DKIM selectors because they live at subdomain-specific record names. Veldica uses provider patterns and DNS clues to find and check more of those public keys for you.

DKIM Discovery Process

DKIM Selector Audit Checklist

1
Pattern Scan

Veldica scans for common provider patterns like Google and Microsoft 365.

2
Record Analysis

We check your SPF and MX records to find clues about which selectors to look for.

3
Strength Check

We check every public key we find for current length and syntax expectations.

4
Old Key Audit

Find old or inactive selectors that you should review in DNS.

DKIM Discovery Process

DKIM keys are the hardest part of an email security check because their selectors are not listed in your main domain record.

1. The DKIM Blind Spot

Unlike other settings, DKIM records live at locations like selector._domainkey.example.com. If you don't know the selector name, the record is invisible to most scanners. This creates a big blind spot where you might think your DKIM is fine, but you're only checking the selectors you already know about.

2. Why Guessing Fails

Most basic tools just guess common selector names like google or default. While this catches some public keys, they miss:

  • Old Selectors: Weak keys from years ago that are still published but forgotten.
  • Provider Selectors: Special names used by tools like Mandrill or SendGrid.
  • Rotated Selectors: When you move to a new key, the old selector might still be there, creating a security risk.

3. How Veldica Finds DKIM Records

Our engine uses a multi-step process to find DKIM public keys without needing access to your accounts:

  1. Common Patterns: We use a library of names used by the most popular email tools.
  2. DNS Clues: We look at your other records to see which email providers you use.
  3. Link Following: We follow CNAME-based DKIM paths for tools like AWS SES to ensure the target record exists.
  4. Security Check: Once found, we check the key's length and type to ensure it meets current standards.

4. Add Your Own Selectors

For the best audit, Veldica lets you list your own known selectors. This is helpful if you use custom tools that don't follow standard naming rules.

POST /v1/pro/audits/domain
{
  "domain": "example.com",
  "selectors": ["my-custom-key-2024", "marketing-tool"]
}

5. Reading the Results

When Veldica finds a DKIM public key, it doesn't just say "Pass." It tells you how strong the key is and which provider context may apply.

{
  "id": "dkim.weak_key",
  "check": "dkim",
  "status": "fail",
  "severity": "high",
  "title": "Weak DKIM Key",
  "evidence": "This key is too short. Modern standards require longer keys to stay safe.",
  "fix": "Create a new, stronger DKIM key in your email provider's settings."
}

Deepen Your Audit

DKIM discovery is built into Veldica Audit Pro. Use it with our Fix & Retest steps to make sure your updates worked.

Keep Exploring

Use the Workflow Library to browse more guides, comparisons, and integration examples to continue your evaluation.

Workflow
Before/After Comparison

Check that your DNS changes didn't break your security.
Solution
Internal Review

Audit your own domains to find hidden risks and changes.
Reference
API Documentation

View the technical guide for the Veldica Audit API.