DKIM

You can't list DKIM keys from DNS. We find them anyway.

DKIM has no directory — selectors are invisible until you know their names. Trustliant probes the selectors every major platform uses, then learns the rest from DMARC aggregate reports, building a living inventory of every signing key a client depends on.

Selector discovery, two ways

Well-known selector probing catches Microsoft 365 (selector1/2), Google Workspace, Mailchimp, SendGrid, HubSpot, Zendesk, and more instantly. Aggregate-report ingestion then reveals the selectors actually used in the wild — including the ones nobody documented.

Key hygiene that ages well

1024-bit RSA keys get flagged (2048 is the floor now). Revoked-but-still-published records get cleanup findings. First-seen and last-seen tracking builds toward rotation-age alerts: keys that haven't rotated in years are a quiet risk nobody watches — Trustliant does.

Vendor attribution built in

Every selector maps to the platform that conventionally uses it, so 'k1._domainkey' reads as 'Mailchimp' in the UI. When a signature appears for a vendor the client never authorized, that's not a log line — it's a finding.

For your technicians

Per-selector records with key type, estimated bits, revocation state, and the RFC 6376 rotation procedure (new selector → switch signing → revoke old) spelled out.

For your clients

“Every service that signs email for your company is inventoried, strength-checked, and watched for changes.”