Get DKIM usage
Description:
"DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message." RFC 6376
A DKIM-Signature contains the domain tag (d=) on which to lookup the DKIM key and a selector (s=). This allows for multiple DKIM keys being used for a single domain. e.g. "d=example.com; s=mail;" refers to the selector "mail" on the domain "example.com". The DKIM key is found on the "_domainkey" subdomain. The full DKIM lookup would look as following: "mail._domainkey.example.com. TXT".
DKIM lookups are only done when a message has a DKIM-Signature. The impala query provides insight into domain names using DKIM on their domain.
Impala Query:
DKIM usage by domain for current day:
select domainname, count(1) as tot
from dns.staging
where qname ILIKE '%._domainkey.%'
and qtype = 16
group by domainname
order by tot desc
Total domain names with DKIM usage over multiple days:
select day, count( distinct domainname)
from dns.queries
where qname ILIKE '%._domainkey.%'
and qtype = 16
and month=08 and year=2017
group by day
order by day asc
Example Output:
DKIM usage by domain for current day:
manorweb.ch 1310
paper.li 1294
paypal.ch 1219
jelmoli-shop.ch 1121
stnet.ch 1029
freitag.ch 477
ebookers.ch 464
Total domain names with DKIM usage over multiple days:
1 57850
2 51110
3 48097
4 44045
5 20322
6 21206
7 55014
8 59914
9 56100