DKIM configured

Severity: Critical

DKIM (DomainKeys Identified Mail) cryptographically signs outgoing emails, proving they haven't been tampered with and came from an authorized sender.

Check automatically:

1. With DNS API access (preferred - discovers all selectors):

# Cloudflare - find all _domainkey TXT records
curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?type=TXT" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | select(.name | contains("_domainkey"))'

# Or list all TXT and filter
curl ... | jq '.result[] | select(.name | contains("domainkey")) | {name, content}'

2. Without API access (check common selectors):

# Common DKIM selectors by provider
dig TXT google._domainkey.example.com +short         # Google Workspace
dig TXT selector1._domainkey.example.com +short      # Microsoft 365
dig TXT selector2._domainkey.example.com +short      # Microsoft 365
dig TXT s1._domainkey.example.com +short             # Generic
dig TXT s2._domainkey.example.com +short             # Generic
dig TXT k1._domainkey.example.com +short             # Mailchimp
dig TXT smtpapi._domainkey.example.com +short        # SendGrid
dig TXT mailo._domainkey.example.com +short          # Mailgun
dig TXT pm._domainkey.example.com +short             # Postmark

3. Validate DKIM record format:

• Should contain v=DKIM1
• Should contain p=<public_key> (not empty)

Ask user:

• "Can you provide DNS read access to list all TXT records?"
• "What DKIM selectors does your email provider use?"

Pass criteria:

• At least one DKIM record exists for each sending domain/subdomain
• Records contain valid public keys (p=... not empty)
• Selectors match configured email providers

Fail criteria:

• No DKIM records found for a sending domain
• DKIM key is empty/revoked (p= with no key)

Evidence to capture:

• All DKIM selectors found (via API discovery)
• Providers identified from selector names
• Subdomains covered
• Key validity (present and non-empty)

---