DKIM Checker
Look up and verify DKIM (DomainKeys Identified Mail) DNS records for any domain and selector
Try:
Common selectors:
Frequently Asked Questions
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic digital signature to outgoing emails. The private key signs the message headers; the public key is published in DNS as a TXT record. Receiving mail servers verify the signature using the public key, confirming the email wasn't altered in transit and genuinely came from your domain.
A selector is a label that allows a domain to publish multiple DKIM public keys simultaneously. The DKIM DNS record is stored at
{selector}._domainkey.{domain}. The sending mail server includes the selector in the DKIM-Signature email header so receivers know which key to use. Common selectors include google, selector1, default, and date-based selectors like 20230601. You can find yours in your email provider's DKIM setup page.A DKIM key is considered revoked when the
p= tag is empty (e.g. v=DKIM1; p=). An empty public key tells receivers to treat all signatures under this selector as invalid. This is the recommended way to retire an old DKIM key β publish the record with p= empty rather than deleting the DNS entry, which helps receivers distinguish "key rotated" from "DKIM not configured".For RSA, use at least 2048-bit keys. 1024-bit keys are deprecated and no longer accepted by major providers like Gmail. Google Workspace and Microsoft 365 default to 2048-bit. Alternatively, use Ed25519 keys (
k=ed25519) β they are smaller, faster, and considered more secure, though not yet supported by all mail servers. Rotate DKIM keys at least annually as a best practice.About DKIM Checker
How It Works
This tool queries the DNS TXT record at {selector}._domainkey.{domain}. If you leave the selector blank, it automatically tries 12 common selectors and reports all that have valid DKIM records. Each found record is fully parsed to show version, key type, public key, flags, and hash algorithms.
DKIM Tag Reference
| Tag | Meaning |
|---|---|
v | Version (always DKIM1) |
k | Key type (rsa or ed25519) |
p | Base64-encoded public key |
t | Flags (y=testing, s=no subdomain) |
h | Allowed hash algorithms |
s | Service type (email or *) |
The Email Authentication Stack
DKIM is the cryptographic layer of email authentication. Combined with SPF, DMARC, and BIMI it forms a complete protection and branding chain for your domain.
| Protocol | What it authenticates | DNS Record | Our Tool |
|---|---|---|---|
| SPF | The sending server's IP address is authorized to send for the domain | TXT at root domain |
SPF Lookup & Generator |
| DKIM | The message was cryptographically signed by an authorized sender and not altered | TXT at {selector}._domainkey.{domain} |
This tool |
| DMARC | SPF/DKIM alignment with the visible From: header β sets enforcement policy and reporting |
TXT at _dmarc.{domain} |
DMARC Lookup & Generator |
| BIMI | Displays the domain's brand logo in supporting email clients once SPF, DKIM, and DMARC all pass | TXT at default._bimi.{domain} |
BIMI Lookup & Generator |
| MX | Where inbound email for the domain should be delivered | MX at root domain |
MX Lookup |
