Is it possible to find a list of all DKIM keys for a domain?
Solution 1:
No, it's not possible to query this directly, as there's no such thing as wildcard DNS queries. As you are checking for the best practices, this isn't necessarily a problem.
Current best practice is to have all SPF + DKIM + DMARC. By checking DMARC you can indirectly deduce something about DKIM, too. If the administrator has set up DMARC, he's probably also aware of DKIM.
There's two available methods for getting complete zones, but if you success with either of these, you can already tell that the domain is not following best practices on the DNS setup:
-
Zone transfers should not be available to anyone. This would give you results, if it is:
dig axfr example.com @ns1.example.com | grep "_domainkey"
-
DNSSEC Hashed Authenticated Denial of Existence introduced
NCES3
/NSEC3PARAM
to address Zone Walking (RFC 5155). Theldns-walk
would give results ifNSEC
is still in use.ldns-walk example.com | grep "_domainkey"
I don't know the purpose of this validation, but all the cases I could imagine are covered:
-
If it's for incoming mail, you'd already have the email with or without the DKIM signatures, and the DMARC would tell you whether there should be one, if there isn't. Having the mail with the signatures is also the only way to be sure that DKIM is correctly implemented.
-
If it's about validating your customers practices before moving forward, the validation form could ask for the selector(s). Again, automating the service by checking actual mail would be easier both for you and your client.
Solution 2:
to make sure that a domain has at least one DKIM set up (to ensure that the administrator of that domain has done their due diligence)
If you want to do real due diligence request that administrator to send a you an email message from that domain, because the presence of DKIM DNS record alone does not mean that DKIM is actually implemented correctly on their mail servers.
That will give you the selector and a lot of other things you need for a proper check of their setup.
There are many other settings needed for reliable e-mail delivery, please see this canonical Q&A and the linked ones for examples of such things like DMARC, SPF, reverse DNS records, blacklists etc.
Solution 3:
Most nameservers don't allow zone transfers to just anyone, meaning if you're not whitelisted, you can't list the records of a zone. Although in some rare cases you can use zone walking if DNSSEC is used along with NSEC, but this is unlikely.
Other than guessing selectors, you don't really have an option other than checking DMARC for DKIM alignment, which may give a likely indication of DKIM being setup too, but this is inconclusive if DMARC wasn't setup either.