Try the DKIM Checker

DKIM Checker β€” Verify Your Domain's Email Signing Key in DNS

Learn how DKIM works, what a DKIM DNS record contains, how to find your selector, and how to use a free DKIM checker to verify your email signing key is correctly published.

By sadiqbd Β· June 6, 2026

Share:
DKIM Checker β€” Verify Your Domain's Email Signing Key in DNS

DKIM is the digital signature that proves your emails weren't tampered with

When an email arrives in someone's inbox, the receiving server has no inherent way to verify that it genuinely came from the domain it claims to come from β€” or that it wasn't modified in transit. DomainKeys Identified Mail (DKIM) solves this. It cryptographically signs outgoing emails, and receiving servers use a public key published in DNS to verify the signature.

A DKIM checker looks up your domain's DKIM public key records in DNS and confirms whether they're correctly published and readable.

How DKIM Works

DKIM uses public-key cryptography:

  1. Your sending mail server holds a private key. When sending an email, it hashes selected email headers and the body, then signs the hash with the private key.

  2. The signature is added to the email as a DKIM-Signature header. It looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
  s=selector1; h=from:to:subject:date; bh=...; b=...

Key fields:

  • d= β€” the signing domain
  • s= β€” the selector (a label pointing to the specific DNS record with the public key)
  • bh= β€” hash of the email body
  • b= β€” the cryptographic signature itself

  1. The receiving server takes the d= and s= values, constructs the DNS lookup: [selector]._domainkey.[domain] (e.g. selector1._domainkey.example.com), retrieves the public key, and uses it to verify the signature.

  2. If verification passes: the email genuinely came from the domain and wasn't modified in transit.

  3. If verification fails: the email is treated as suspicious β€” it may be spam, phishing, or tampered.

The DKIM DNS Record

A DKIM public key is published as a TXT record at [selector]._domainkey.[domain].

Example record:

selector1._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."
Field Meaning
v=DKIM1 DKIM version
k=rsa Key type (RSA or ed25519)
p= The Base64-encoded public key

A record with p= empty (p=) means the key has been revoked.

How to Use the DKIM Checker on sadiqbd.com

  1. Enter your domain β€” e.g. example.com
  2. Enter your DKIM selector β€” the selector name used by your mail provider

Finding your selector: Send yourself an email, view the full headers, and look for the DKIM-Signature header. The s= value is your selector. Common selectors by provider:

  • Google Workspace: google
  • Mailchimp: k1
  • SendGrid: s1, s2
  • Amazon SES: varies
  • Microsoft 365: selector1, selector2
  1. Run the lookup β€” the tool queries [selector]._domainkey.[domain]
  2. Read the result β€” the public key record is displayed, or an error if not found

What the Results Mean

Record found with a valid public key (p= populated): DKIM is correctly configured. Your emails signed with this selector can be verified by receiving servers.

Record found but p= is empty: The key has been explicitly revoked. Emails signed with this selector will fail DKIM verification. You need to rotate to a new selector and key.

Record not found: Either the selector name is wrong, the record hasn't propagated yet, or DKIM isn't configured. Check your mail provider's admin panel for the correct selector and DNS record to publish.

Key too short (512-bit or 768-bit): RSA keys shorter than 1,024 bits are considered weak and are rejected by many receiving servers (including Gmail). DKIM keys should be at least 1,024 bits; 2,048-bit keys are recommended for new implementations.

DKIM Key Rotation

DKIM keys should be rotated periodically β€” a recommended practice every 6–12 months for active sending domains. The rotation process:

  1. Generate a new key pair
  2. Publish the new public key in DNS under a new selector (e.g. selector2._domainkey.example.com)
  3. Configure your mail server to sign outgoing emails with the new private key and new selector
  4. Allow both selectors to coexist in DNS until mail in flight with the old key has cleared (a few days)
  5. Remove the old selector's DNS record (or set p= to empty to explicitly revoke it)

Key rotation limits the window of exposure if a private key is ever compromised.

DKIM in the Authentication Stack

DKIM is one of three layers of email authentication:

Standard What it does
SPF Verifies the sending IP is authorised to send for the domain
DKIM Verifies the email wasn't modified in transit and was signed by the domain
DMARC Ties SPF and DKIM together with a policy and reporting mechanism

DMARC requires at least one of SPF or DKIM to pass, and the domain in the From: header must be aligned with the authenticated domain. DKIM passing with domain alignment is the stronger authentication signal β€” SPF only verifies the envelope sender, which recipients don't see.

Common DKIM Issues

Multiple TXT records for the same selector. Some DNS providers allow multiple TXT records at the same name. DKIM requires exactly one β€” multiple records cause lookup failures. Consolidate into a single record if this occurs.

Oversized public key split across records. 2,048-bit RSA keys Base64-encode to more than 255 characters, exceeding a single DNS string limit. They need to be split into quoted strings within the TXT record. Some DNS providers handle this automatically; others require manual splitting.

DKIM configured on the ESP but DNS not updated. The most common issue: your email service provider has DKIM set up internally, but the public key DNS record hasn't been added to your domain's authoritative DNS. The checker reveals this immediately.

Frequently Asked Questions

Can I have multiple DKIM records? Yes β€” but not multiple records for the same selector. Different selectors (e.g. for different sending services) can coexist in DNS simultaneously. Each ESP typically uses its own selector.

Does DKIM prevent email spoofing? DKIM prevents message tampering and verifies the signing domain. Combined with DMARC, it prevents spoofing of the From header domain. Without DMARC, DKIM alone doesn't stop someone from using a lookalike domain.

What happens if DKIM fails? The receiving server's behaviour depends on the DMARC policy. With p=none, the email is delivered but flagged. With p=quarantine, it goes to spam. With p=reject, it's bounced. Without DMARC, DKIM failure typically results in the email being treated as suspicious.

How long after publishing the DKIM record does it take effect? DNS propagation can take up to 48 hours, though usually much faster. After propagation, receiving servers will begin verifying DKIM signatures against the new record immediately.

Is the DKIM checker free? Yes β€” completely free, no sign-up required.

DKIM is a foundational component of email trust infrastructure. The checker confirms in seconds whether your public key is correctly published and readable β€” a quick diagnostic that catches misconfigurations before they quietly damage your deliverability.

Try the DKIM Checker free at sadiqbd.com β€” verify your DKIM record is correctly published for any domain and selector.

Share:
Try the related tool:
Open DKIM Checker

More DKIM Checker articles

DKIM Key Rotation, Multiple Selectors, and Debugging Silent Failures DKIM Key Rotation, Multiple Selectors, and Debugging Silent Failures The Complete Email Authentication Audit: How to Check SPF, DKIM, DMARC, PTR, and BIMI The Complete Email Authentication Audit: How to Check SPF, DKIM, DMARC, PTR, and BIMI DKIM, Mailing Lists, and Forwarding: Why Signatures Break and How ARC Tries to Help DKIM, Mailing Lists, and Forwarding: Why Signatures Break and How ARC Tries to Help DKIM Key Length and Algorithm: Why "Still Validates" Doesn't Mean "Still Recommended" DKIM Key Length and Algorithm: Why "Still Validates" Doesn't Mean "Still Recommended"