DKIM Record Checker

Verify your DKIM key is published correctly, properly formatted, and using strong encryption.

Try common selectors:

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sender to digitally sign outgoing emails. The receiving server can then verify the signature using a public key published in DNS, confirming that the message was sent by an authorized sender and was not modified in transit.

How DKIM Works

  1. The sending server adds a DKIM-Signature header to outgoing emails, which includes a cryptographic hash of the message content.
  2. The receiving server extracts the selector and domain from the signature header.
  3. It looks up the DKIM public key at [selector]._domainkey.[domain] in DNS.
  4. It uses the public key to verify the signature, confirming the message's authenticity and integrity.

What is a DKIM Selector?

A DKIM selector is a label that allows a domain to have multiple DKIM keys. Each email service you use (Google Workspace, SendGrid, Mailchimp, etc.) typically uses its own selector. Common selectors include google, s1, default, selector1, and k1.

Common DKIM Issues

  • No DKIM record found - The public key is not published in DNS for the given selector. Check that you have the correct selector and that DNS propagation is complete.
  • Weak key length - Keys shorter than 1024 bits are considered weak. We recommend using 2048-bit keys for better security.
  • Key type mismatch - The key type (RSA or Ed25519) must match what your sending server uses to sign messages.
  • Invalid key format - The public key data must be valid base64-encoded content.

Frequently Asked Questions

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic digital signature to outgoing emails, allowing receiving mail servers to verify that a message was genuinely sent by the domain owner and was not tampered with in transit. A DKIM record is a DNS TXT record that publishes the public key used to validate these signatures. As of 2025, major providers like Gmail, Yahoo, and Microsoft Outlook require DKIM authentication for reliable delivery.

Enter your domain name and DKIM selector into our DKIM record checker tool above. The tool performs a DNS lookup for the TXT record at selector._domainkey.yourdomain.com and validates the public key syntax, key length, and required tags. If you do not know your selector, you can find it by viewing the full headers of an email sent from your domain and locating the s= tag within the DKIM-Signature header.

A DKIM selector is a unique identifier string (specified by the s= tag in the DKIM-Signature header) that tells receiving mail servers which public key to retrieve from your domain's DNS records. To find your DKIM selector, open an email you have sent, view the original message source or full headers, and look for the DKIM-Signature field. Common selectors include google, selector1, selector2, k1, or default.

DKIM checks fail for several common reasons: the DKIM public key is missing or incorrectly published in DNS, the DNS record has syntax errors (such as missing tags or truncated key values), the email content or headers were modified in transit by a mail scanner or forwarding service, or there is a domain alignment mismatch between the DKIM signature domain (d= tag) and the visible From header domain.

Yes, you can have multiple DKIM records on the same domain, and it is often necessary. Each DKIM record must use a unique selector to avoid conflicts. Multiple records are required when you use different email sending services (such as Google Workspace, Mailchimp, and SendGrid) that each need their own DKIM key pair. Multiple selectors also enable DKIM key rotation, a security best practice.

After publishing or updating a DKIM record in your DNS, propagation typically takes anywhere from a few minutes to 48 hours, depending on your DNS provider's TTL (Time to Live) settings. In many cases, the record becomes available within 1-2 hours, but it is safest to allow up to 24-48 hours before assuming there is an issue. To speed up future updates, consider lowering the TTL value on your DKIM DNS record in advance of making changes.

Yes, DKIM is now effectively mandatory for email deliverability. Google enforces DKIM requirements for bulk senders, and Microsoft Outlook began rejecting emails without proper SPF, DKIM, and DMARC authentication in 2025. These authentication requirements apply to all commercial senders, making DKIM essential for any organization that sends email.

This error means the DKIM checker could not locate a TXT record at the expected DNS location. Verify that you have published the DKIM record with the correct hostname. A common mistake is DNS providers automatically appending the root domain, creating a malformed entry like selector._domainkey.domain.com.domain.com. Confirm the selector matches what your email service provider specifies, ensure the record type is TXT, and wait up to 48 hours for DNS propagation.

SPF verifies that an email was sent from an authorized IP address for the domain, checking the sending infrastructure. DKIM uses cryptographic signatures to verify that the email content has not been altered in transit, protecting message integrity. DMARC ties SPF and DKIM together by checking that the authenticated domain aligns with the visible "From" address and defines a policy for handling failures. All three protocols work together and are now required by major email providers.

A valid DKIM record is a DNS TXT record published at selector._domainkey.yourdomain.com and contains several required tags: v=DKIM1 (protocol version), k=rsa (key type, with RSA being the most common), and p= followed by the Base64-encoded public key. An example: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA.... The p= tag must contain the complete public key without line breaks or truncation.