DKIM Tools
Protect your emails from message replay and tampering. Analyze your raw DKIM-Signature header to audit protected headers (h=), decode canonicalization profiles (c=), flag missing expirations, and ensure maximum cryptographic resilience.
A valid cryptographic signature isn't enough if it doesn't protect the right things. We analyze your header's Canonicalization profile (c=), Expiration limits (x=), and audit your Protected Headers (h=) to ensure you aren't vulnerable to message replay or tampering.
DKIM isn't just about public keys in DNS. The way your mail server constructs the DKIM-Signature header dictates exactly how resilient your emails are to tampering.
To: or Subject: headers aren't included in the h= tag, an attacker can intercept your signed email, change the recipient or subject, and forward it with a perfectly valid DKIM signature.c= tag (e.g., relaxed/simple). "Relaxed" tolerates minor formatting changes by mail relays, while "Simple" is extremely strict and often causes DKIM to fail if a single space is altered.x= tag) are valid forever, making them prime targets for replay attacks months later. We audit timestamps and flag expired signatures.a= tag to ensure your mail server isn't accidentally using the deprecated, crackable rsa-sha1 algorithm instead of the modern rsa-sha256.Your feedback has been submitted successfully. We appreciate your help in improving our tools.