Free DKIM Record Checker
Check any DKIM record in seconds — no selector needed. Enter your domain and the tool automatically discovers your published DKIM selectors, then validates each key and flags weak, truncated, or revoked keys.
How to Find Your DKIM Selector (by Email Provider)
This checker discovers your selectors automatically — enter your domain and pick from the list. But if you're checking a domain with no discoverable selectors, or you want to verify a specific mail stream, these are the common defaults by provider:
Email provider | Default DKIM selector(s) |
|---|---|
Google Workspace |
|
Microsoft 365 |
|
Mailchimp |
|
SendGrid |
|
Amazon SES | Three randomized selectors (check your SES console under verified identities) |
Klaviyo |
|
HubSpot |
|
Brevo |
|
Postmark | Randomized string ending in |
Zoho Mail | Custom — commonly |
If your selector isn't in the table or the discovered list, open any email sent from your domain, view the full headers, and find the s= tag inside the DKIM-Signature header. Each sending service — say, Microsoft 365 for regular mail and Mailchimp for newsletters — has its own selector, and this tool checks each one.
What Is DKIM and Why Does It Matter?
DomainKeys Identified Mail (DKIM) is an email authentication standard that uses public-key cryptography to verify that an email message was sent by the domain it claims to be from and that the message content was not altered in transit. When an email is sent, the sending server creates a digital signature using a private key and adds it to the email header. The receiving server then retrieves the corresponding public key from DNS (using the selector specified in the DKIM-Signature header) and verifies the signature. If the signature validates, DKIM passes. A valid DKIM signature is one of the two pathways to DMARC alignment, making it essential for email authentication enforcement.
What Our DKIM Checker Validates
Enter your domain and DKIM selector, and our tool performs a DNS lookup for the TXT record at selector._domainkey.yourdomain.com. It validates the public key format (RSA or Ed25519), key length (flagging 1024-bit keys as weak and recommending 2048-bit as the minimum standard), required tags (v=DKIM1, k=, p=), and optional tags (t=, h=, s=). The tool specifically detects truncated keys — a common issue when DNS providers split long TXT records incorrectly — and keys that fail base64 decoding due to formatting errors or copy-paste corruption.
Common DKIM Issues and How to Fix Them
The most frequent DKIM failure is a truncated or incorrectly split public key. DNS TXT records have a 255-character string limit per segment, and the key must be split across multiple segments enclosed in double quotes. If your DNS host does not handle this correctly, the key appears malformed to receiving servers. Other common issues include: using a revoked or rotated selector where the old key has been removed but sending infrastructure still references it, weak 512-bit or 768-bit keys that some receivers reject outright, and missing or empty p= tags (which indicate a revoked key). Our checker identifies all of these with clear remediation steps.
DKIM Key Rotation Best Practices
Key rotation is a critical but often neglected security practice. If a DKIM private key is compromised, an attacker can sign emails that pass DKIM authentication for your domain. By rotating keys periodically (at least annually), you limit the exposure window. The rotation process involves generating a new key pair, publishing the new selector in DNS, updating your sending infrastructure to sign with the new key, confirming the new selector resolves correctly with this checker, and then removing the old selector from DNS. Use our DKIM Generator to create new key pairs for rotation.
Tag Reference
The following tags/parameters are checked or generated by this tool:
Tag | Description |
v=DKIM1 | DKIM version tag. Recommended but technically optional. Identifies the record as a DKIM key. |
k=rsa | Key type. RSA is the most widely supported. Ed25519 is supported by some newer implementations. |
p= | Public key data encoded in base64. A missing or empty p= tag indicates the key has been revoked. |
t=y | Testing flag. Indicates the domain is testing DKIM and receivers should not treat failures differently. |
t=s | Strict mode. The signing domain (d=) must exactly match the From header domain. No subdomain matching. |
h=sha256 | Hash algorithm. SHA-256 is the current standard. SHA-1 is deprecated and should be avoided. |
s=email | Service type restriction. Limits this key to email use only (default is * for all services). |
Frequently Asked Questions
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the receiver to check that an email claimed to come from a specific domain was authorized by the owner of that domain, using a cryptographic signature verified against a public key in DNS.
What is a DKIM selector?
A selector is a string that points to a specific DKIM public key record in your DNS, published at selector._domainkey.yourdomain.com. A domain can have multiple selectors for different mail streams.
How do I find my DKIM selector?
Open any email sent from your domain, view the full headers, and find the s= tag in the DKIM-Signature header. Common defaults: google (Google Workspace), selector1/selector2 (Microsoft 365), k1 (Mailchimp), s1/s2 (SendGrid).
Can a domain have multiple DKIM selectors?
Yes. Each email service you use — primary mail, marketing, transactional — can have its own selector and key pair. This is the recommended approach because it allows independent key management per service.
What DKIM key length should I use?
Use 2048-bit RSA keys as the minimum standard. 1024-bit keys are considered weak and should be upgraded. Some organizations use 4096-bit, though not all DNS providers support the larger TXT records.
Why does my DKIM check show key not found?
No TXT record exists at the selector._domainkey path. Verify the selector name is correct, confirm the DNS record is published, and allow up to 48 hours for propagation if recently added.
What does a revoked DKIM key look like?
A revoked DKIM key has an empty p= tag. This intentionally invalidates the selector, telling receiving servers that signatures using it should no longer be trusted.
How do I check if DKIM is working?
Use a DKIM checker to confirm the public key is published correctly in DNS, then send a test email to a Gmail account and use Show Original to confirm the DKIM result says PASS.
Is DKIM required by Gmail and Yahoo?
Yes for bulk senders. Since February 2024, Google and Yahoo require both SPF and DKIM for senders of 5,000+ daily messages, plus a DMARC policy. Smaller senders need at least one, but DKIM is recommended for all because it survives forwarding.
What is the difference between DKIM, SPF, and DMARC?
SPF lists which servers may send mail for your domain, DKIM cryptographically signs each message to prove integrity, and DMARC tells receivers what to do when messages fail and sends reports on who is sending as your domain.