Is there a method to find a domain's DKIM and DMARC records using dig or nslookup?
I have attempted to do the following:
dig somedomain.org any
returns many records, but not the known DKIM and DMARC text records.
nslookup -type=txt somedomain.org
returns all the text records known except the DKIM and DMARC records.
To query the TXT record for DMARC, you can use:
dig TXT _dmarc.example.org
To query for a particular record for DKIM, you would need to know the selector prefix. You will find it in the s value in an email's DKIM-Signature.
For example:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
s=google; t=1615461277;
[…]
You would then query it as TXT:
dig TXT google._domainkey.example.org
For DKIM records, if you have received a DKIM-signed email from that domain, look at the DKIM-Signature header line(s).
From the spec:
All DKIM keys are stored in a subdomain named _domainkey. Given a DKIM-Signature field with a "d=" tag of example.com and an "s=" tag of foo.bar, the DNS query will be for foo.bar._domainkey.example.com.
So in this example, you can then run:
dig TXT foo.bar._domainkey.example.com
Credit to andol, whose comment led me to this solution.
You should use +short with dig to get the DMARC record only.
dig +short TXT _dmarc.domain.com
Using Windows built-in tool nslookup
nslookupset type=txt_dmarc.somedomain.org, replace somedomain.orgExample:
C:\Users\user>nslookup
Default Server: localdns
Address: 192.168.1.1
> set type=txt
> _dmarc.somedomain.org
Non-authoritative answer:
_dmarc.somedomain.org text =
"v=DMARC1; p=none; rua=mailto:postmaster@somedomain.org"
You may use server 8.8.8.8 (Google DNS) before lookup DMARC TXT record.
We also built a tool called Gappie that allows you to check your SPF, DKIM and DMARC records in Slack or Telegram at no cost.
You can use Gappie to
