To validate the DKIM public key, you need to identify the DNS TXT record. A DKIM signed email will contain a DKIM-Signature header that provides the information to identify which DNS TXT is used for the DKIM public key.
Example:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;d=company.com; [email protected]; q=dns/txt; s=dkim1;t=2270733901; x= 2170733901;h=from:to:subject:date:message-id:mime-version;bh=AAAAB3NzaC1yc2EAAAABJQAAAQEAp79w1a7WMO8NLDM98YteMpkvZprTo1KOPqpImkuVvJhoSvOuywzCFzJsE8+OUHHyBykAqQv60K/pGs/Mjd55jxJFMLYGzZtcNwXubIb7zIqJvGoVi0757WCPbOkvZefdr0lLEOuLHjguRKgPZEibc3eutDuhOQw3jag92uVgsFqUx9k+IsFPpp3rNwAWpvJI53pump5Q6/1JNKPbTpocuSGhiAVERorjaPnXKgEFK5RbVcIae6v+RE8Gy4JtMN/c1vcLIEokBKh+T7+N72P3MsL5boo5jvNsmDE+NguNNzKV6ahrcFbZPRRw7Mva+139DEIhWTAfWNnmrrJrNGEAuQ==;
The contents of the ‘d=’ and ‘s=’ parts of the DKIM-Signature header provide the domain and the selector used to generate the signature. To look up the key used to generate the signature, look up the TXT record for the following host name:
[selector]._domainkey.[domain]
[selector] is the ‘s=’ value
[domain] is the ‘d=’ value
Example: dkim1._domainkey.company.com