What is a DKIM record?
DKIM, short for DomainKeys Identified Mail, is an email authentication standard defined in RFC 6376. It lets a sending server attach a cryptographic signature to every message, which receiving servers verify against a public key the domain owner publishes in DNS. A DKIM record is that public key, stored as a TXT record at a special hostname built from a selector and your domain, in the form selector._domainkey.example.com.
The signature proves two things at once. It confirms the message genuinely came from a server authorized by the domain, and it confirms the signed headers and body were not altered in transit. Since 2024 the largest mailbox providers expect SPF, DKIM, and DMARC to be in place before they will reliably deliver bulk mail, which makes a correctly published DKIM key a baseline requirement rather than an optional extra.
How DKIM signing and verification work
DKIM uses a key pair. The private key stays on the sending platform and is never published. The matching public key is published in DNS for anyone to read. The two halves let a receiver confirm a signature without the sender ever exposing the secret.
- Signing. The sending server hashes the chosen headers and the body, signs that hash with the private key, and adds a
DKIM-Signatureheader that records the domain, the selector, and the signed fields. - Selector lookup. The receiver reads the
d=domain ands=selector from the signature, then queries DNS for the public key atselector._domainkey.domain. - Verification. Using that public key, the receiver recomputes the hash and checks the signature. A match passes DKIM and tells the receiver the message is authentic and unmodified.
- Alignment. DMARC then checks that the DKIM
d=domain aligns with the visible From address, which is what turns a passing signature into spoofing protection.
DKIM selectors explained
A selector is a short label that lets one domain publish more than one DKIM key at the same time. Each sending service you use, whether a mailbox provider or a marketing platform, gets its own selector and its own key, so the records never collide. Common selectors include google, selector1, selector2, s1, k1, and default, but your provider may use something custom.
To find the selector you are actually using, open a message you sent, view the original or full headers, and read the s= tag inside the DKIM-Signature line. Google Workspace and Microsoft 365 also show the active selector in their authentication settings. Once you know it, enter it in the checker above so the lookup targets the exact key your mail is signed with.
Common DKIM problems
- No record at the selector. The most common failure is simply that no key is published for the selector being checked. Confirm the selector is correct and that DNS has finished propagating.
- Truncated key. DNS limits each quoted TXT string to 255 characters, so a 2048-bit key must be split into chunks. If a panel stores it as one string, the key is cut off and verification fails.
- Revoked key. A record with an empty
p=tag signals a revoked key. Receivers treat the selector as withdrawn and any mail signed with it fails. - Weak key length. Keys shorter than 2048 bits are flagged as weak and can fail intermittently. A 1024-bit key still validates but should be rotated up.
- Testing flag left on. A
t=ytag tells receivers the domain is still testing DKIM, so they may not enforce it. Remove it once you trust your signing.
Key length and rotation
RFC 8301 requires signers to use at least 1024-bit RSA keys and recommends 2048-bit keys, which is also the guidance Google and Microsoft give their senders. Longer keys resist forgery for longer, and rotating them on a schedule limits the damage if a private key is ever exposed. Work through a rotation like this, then re-scan to confirm the new selector resolves.
- Generate a fresh key pair. Create a new 2048-bit key in your sending platform under a new selector so the existing one keeps working untouched.
- Publish the new public key. Add the new
selector._domainkeyTXT record in DNS and confirm it resolves before changing anything on the sending side. - Switch signing to the new selector. Tell your platform to sign with the new key, then verify live mail is passing DKIM on the new selector.
- Retire the old key. After a safe overlap that covers any in-flight or cached messages, remove the old record so only the current key remains.
DKIM proves a message was not tampered with, but it only protects your From address once it is paired with SPF and a DMARC policy that enforces alignment. To see how all three score together, run the sender reputation checker.