Free DKIM Record Checker
Verify your DKIM keys and selector configuration to ensure email integrity.
What Is DKIM and Why Does It Matter?
DomainKeys Identified Mail (DKIM) is an email authentication standard that uses public-key cryptography to verify that an email message was sent by the domain it claims to be from and that the message content was not altered in transit. When an email is sent, the sending server creates a digital signature using a private key and adds it to the email header. The receiving server then retrieves the corresponding public key from DNS (using the selector specified in the DKIM-Signature header) and verifies the signature. If the signature validates, DKIM passes. A valid DKIM signature is one of the two pathways to DMARC alignment, making it essential for email authentication enforcement.
What Our DKIM Checker Validates
Enter your domain and DKIM selector, and our tool performs a DNS lookup for the TXT record at selector._domainkey.yourdomain.com. It validates the public key format (RSA or Ed25519), key length (flagging 1024-bit keys as weak and recommending 2048-bit as the minimum standard), required tags (v=DKIM1, k=, p=), and optional tags (t=, h=, s=). The tool specifically detects truncated keys — a common issue when DNS providers split long TXT records incorrectly — and keys that fail base64 decoding due to formatting errors or copy-paste corruption.
Common DKIM Issues and How to Fix Them
The most frequent DKIM failure is a truncated or incorrectly split public key. DNS TXT records have a 255-character string limit per segment, and the key must be split across multiple segments enclosed in double quotes. If your DNS host does not handle this correctly, the key appears malformed to receiving servers. Other common issues include: using a revoked or rotated selector where the old key has been removed but sending infrastructure still references it, weak 512-bit or 768-bit keys that some receivers reject outright, and missing or empty p= tags (which indicate a revoked key). Our checker identifies all of these with clear remediation steps.
DKIM Key Rotation Best Practices
Key rotation is a critical but often neglected security practice. If a DKIM private key is compromised, an attacker can sign emails that pass DKIM authentication for your domain. By rotating keys periodically (at least annually), you limit the exposure window. The rotation process involves generating a new key pair, publishing the new selector in DNS, updating your sending infrastructure to sign with the new key, confirming the new selector resolves correctly with this checker, and then removing the old selector from DNS. Use our DKIM Generator to create new key pairs for rotation.
Tag Reference
The following tags/parameters are checked or generated by this tool:
Tag | Description |
v=DKIM1 | DKIM version tag. Recommended but technically optional. Identifies the record as a DKIM key. |
k=rsa | Key type. RSA is the most widely supported. Ed25519 is supported by some newer implementations. |
p= | Public key data encoded in base64. A missing or empty p= tag indicates the key has been revoked. |
t=y | Testing flag. Indicates the domain is testing DKIM and receivers should not treat failures differently. |
t=s | Strict mode. The signing domain (d=) must exactly match the From header domain. No subdomain matching. |
h=sha256 | Hash algorithm. SHA-256 is the current standard. SHA-1 is deprecated and should be avoided. |
s=email | Service type restriction. Limits this key to email use only (default is * for all services). |