Free DNS tool

DKIM Record Checker

Look up your DKIM key by selector, confirm the public key is published in DNS, check its length and version, and fix what quietly breaks email authentication.

Leave the selector blank to probe common ones. We query live DNS and never store your domain.

Try it instantly

Pick a domain and we auto-detect common DKIM selectors, or enter your own above.

DKIM, explained

What is a DKIM record?

DKIM, short for DomainKeys Identified Mail, is an email authentication standard defined in RFC 6376. It lets a sending server attach a cryptographic signature to every message, which receiving servers verify against a public key the domain owner publishes in DNS. A DKIM record is that public key, stored as a TXT record at a special hostname built from a selector and your domain, in the form selector._domainkey.example.com.

The signature proves two things at once. It confirms the message genuinely came from a server authorized by the domain, and it confirms the signed headers and body were not altered in transit. Since 2024 the largest mailbox providers expect SPF, DKIM, and DMARC to be in place before they will reliably deliver bulk mail, which makes a correctly published DKIM key a baseline requirement rather than an optional extra.

How DKIM signing and verification work

DKIM uses a key pair. The private key stays on the sending platform and is never published. The matching public key is published in DNS for anyone to read. The two halves let a receiver confirm a signature without the sender ever exposing the secret.

  • Signing. The sending server hashes the chosen headers and the body, signs that hash with the private key, and adds a DKIM-Signature header that records the domain, the selector, and the signed fields.
  • Selector lookup. The receiver reads the d= domain and s= selector from the signature, then queries DNS for the public key at selector._domainkey.domain.
  • Verification. Using that public key, the receiver recomputes the hash and checks the signature. A match passes DKIM and tells the receiver the message is authentic and unmodified.
  • Alignment. DMARC then checks that the DKIM d= domain aligns with the visible From address, which is what turns a passing signature into spoofing protection.

DKIM selectors explained

A selector is a short label that lets one domain publish more than one DKIM key at the same time. Each sending service you use, whether a mailbox provider or a marketing platform, gets its own selector and its own key, so the records never collide. Common selectors include google, selector1, selector2, s1, k1, and default, but your provider may use something custom.

To find the selector you are actually using, open a message you sent, view the original or full headers, and read the s= tag inside the DKIM-Signature line. Google Workspace and Microsoft 365 also show the active selector in their authentication settings. Once you know it, enter it in the checker above so the lookup targets the exact key your mail is signed with.

Common DKIM problems

  • No record at the selector. The most common failure is simply that no key is published for the selector being checked. Confirm the selector is correct and that DNS has finished propagating.
  • Truncated key. DNS limits each quoted TXT string to 255 characters, so a 2048-bit key must be split into chunks. If a panel stores it as one string, the key is cut off and verification fails.
  • Revoked key. A record with an empty p= tag signals a revoked key. Receivers treat the selector as withdrawn and any mail signed with it fails.
  • Weak key length. Keys shorter than 2048 bits are flagged as weak and can fail intermittently. A 1024-bit key still validates but should be rotated up.
  • Testing flag left on. A t=y tag tells receivers the domain is still testing DKIM, so they may not enforce it. Remove it once you trust your signing.

Key length and rotation

RFC 8301 requires signers to use at least 1024-bit RSA keys and recommends 2048-bit keys, which is also the guidance Google and Microsoft give their senders. Longer keys resist forgery for longer, and rotating them on a schedule limits the damage if a private key is ever exposed. Work through a rotation like this, then re-scan to confirm the new selector resolves.

  1. Generate a fresh key pair. Create a new 2048-bit key in your sending platform under a new selector so the existing one keeps working untouched.
  2. Publish the new public key. Add the new selector._domainkey TXT record in DNS and confirm it resolves before changing anything on the sending side.
  3. Switch signing to the new selector. Tell your platform to sign with the new key, then verify live mail is passing DKIM on the new selector.
  4. Retire the old key. After a safe overlap that covers any in-flight or cached messages, remove the old record so only the current key remains.

DKIM proves a message was not tampered with, but it only protects your From address once it is paired with SPF and a DMARC policy that enforces alignment. To see how all three score together, run the sender reputation checker.

Frequently asked

DKIM record questions

What is a DKIM record and how do I check it?
A DKIM record is a DNS TXT record that publishes your domain's public DKIM key at selector._domainkey.yourdomain.com. To check it, enter your domain and selector in the tool above. It performs a live DNS lookup, confirms a public key is published, validates the v=DKIM1 version tag, estimates the key length, and flags anything that would cause a verification failure.
What is a DKIM selector and how do I find it?
A selector is a label that lets a domain publish multiple DKIM keys, one per sending service. It appears as the s= tag in the DKIM-Signature header of every message you send. To find yours, open a sent message, view the original or full headers, and read the s= value. Google Workspace and Microsoft 365 also list the active selector in their authentication settings. Common values include google, selector1, s1, k1, and default.
How do I know if my DKIM record is valid?
A valid record returns a public key with a non-empty p= tag and, where present, a v=DKIM1 version tag. The checker above confirms the key is published at your selector, parses each tag, and reports the estimated key length. The real proof is a passing signature on live mail, so also send yourself a message and confirm the DKIM-Signature verifies in the headers.
What key length should a DKIM record use?
Use a 2048-bit RSA key. RFC 8301 requires at least 1024 bits and recommends 2048, which matches the guidance from Google and Microsoft. A 1024-bit key still validates but is flagged as weak and can fail intermittently with some receivers, so rotate it up to 2048 bits when your provider allows.
Why does my DKIM check fail?
Common causes are a missing record at the selector, an incorrect selector name, a public key that was truncated because the DNS panel did not split it across the 255-character TXT limit, a revoked key with an empty p= tag, or DNS that has not finished propagating. A message can also fail when a forwarding service or scanner modifies the signed content in transit.
Can a domain have more than one DKIM record?
Yes. A domain can publish many DKIM keys, each under its own unique selector, which is exactly how different sending services coexist. Multiple selectors also make key rotation possible, since you can publish a new key under a fresh selector and retire the old one without interrupting mail.
What is the difference between DKIM, SPF, and DMARC?
SPF verifies that the connecting server is authorized to send for the domain. DKIM uses a cryptographic signature to verify the message was not altered and came from the signing domain. DMARC ties the two together by checking that an authenticated domain aligns with the visible From address and tells receivers what to do when authentication fails. Major providers now expect all three.
How long does it take for a DKIM record to propagate?
After you publish or change a DKIM record, propagation usually takes a few minutes to a few hours, though full global propagation can run up to 24 to 48 hours depending on your provider and TTL settings. Lowering the TTL before you make changes speeds future updates, and you can re-run the check above until the new key appears.
How does DKIM work?
DKIM uses a pair of keys. Your sending platform keeps a private key and uses it to add an encrypted signature to the headers and body of every message. The matching public key is published in your DNS as the DKIM record. When a receiver gets the message, it fetches that public key, recomputes the signature, and confirms the mail was genuinely signed by your domain and was not altered in transit.
Is DKIM required to send email?
The email protocol itself does not require it, but in practice it is now a baseline. Since 2024, Google and Yahoo require DKIM for bulk senders, and most major providers treat unsigned mail as less trustworthy. For any domain that sends real volume, a valid DKIM key is effectively mandatory if you want reliable inbox placement.
Does DKIM stop email spoofing on its own?
No. DKIM proves a message was signed by your domain and not changed, but it does not tell receivers what to do when a signature is missing or fails, and on its own it does not protect the visible From address. DMARC adds that missing piece by checking that the DKIM domain aligns with the From domain and by telling receivers to quarantine or reject mail that fails. DKIM is necessary but not sufficient by itself.
How often should I rotate my DKIM key?
A common practice is to rotate DKIM keys once or twice a year, and immediately if you suspect the private key was exposed. Rotating limits the damage a leaked key could do and keeps your signing current. Do it with overlapping selectors: publish a new key under a new selector, switch signing to it, confirm live mail passes, then retire the old record after a safe overlap.