DKIM Checker
Look up and verify DKIM (DomainKeys Identified Mail) DNS records for any domain and selector
Frequently Asked Questions
{selector}._domainkey.{domain}. The sending mail server includes the selector in the DKIM-Signature email header so receivers know which key to use. Common selectors include google, selector1, default, and date-based selectors like 20230601. You can find yours in your email provider's DKIM setup page.p= tag is empty (e.g. v=DKIM1; p=). An empty public key tells receivers to treat all signatures under this selector as invalid. This is the recommended way to retire an old DKIM key — publish the record with p= empty rather than deleting the DNS entry, which helps receivers distinguish "key rotated" from "DKIM not configured".k=ed25519) — they are smaller, faster, and considered more secure, though not yet supported by all mail servers. Rotate DKIM keys at least annually as a best practice.DKIM-Signature header. The corresponding public key is published in DNS as a TXT record at {selector}._domainkey.{domain}. When a receiving mail server gets the email, it fetches the public key from DNS and uses it to verify the signature — confirming the email wasn't altered in transit and came from a server with access to the private key.
DKIM-Signature header of every signed email (as the s= tag), telling receivers which DNS record to query for the public key. Selectors are critical for: (1) key rotation — you can publish a new key under a new selector before retiring the old one; (2) multiple senders — different services (ESP, CRM, your own servers) can each have their own selector and key pair. Common selectors: google, selector1, default, s1, date-based like 20230601.
DKIM-Signature header in a sent email. In Gmail, open an email you sent, click the three-dot menu and select "Show original" — look for the DKIM-Signature header and find the s= tag (e.g. s=google or s=20230601). In Outlook, open an email and view message source. Alternatively, check your email provider's admin panel: Google Workspace lists selectors under Apps → Gmail → Authenticate Email; Microsoft 365 under Exchange Admin Center → Protection → DKIM. Use this tool's auto-discover mode (leave the selector blank) to try 12 common selectors automatically.
k=ed25519 in the DNS record) — they offer equivalent security to 3072-bit RSA in a much smaller key size, resulting in shorter DNS records. The downside is Ed25519 is not yet supported by all mail servers. As a best practice, rotate your DKIM keys at least annually and immediately after any security incident involving your private key.
Authentication-Results header to the email. To view it: in Gmail, open the email, click the three-dot menu → "Show original". Look for the Authentication-Results header — it will show something like dkim=pass header.i=@example.com (success) or dkim=fail (failure). A DKIM pass confirms the email's signature verified correctly. A DKIM fail can mean the private/public keys don't match, the message was modified in transit, or the DNS record has been deleted/changed. Use our DKIM Checker to verify the public key is still in DNS.
About This DKIM Checker
This free DKIM Checker queries the DNS TXT record at {selector}._domainkey.{domain}. Leaving the selector blank triggers auto-discovery — the tool checks 12 common selectors (google, mail, default, dkim, k1, s1, s2, and more) and reports every active one it finds. Each discovered record is fully parsed to show key type, approximate key length, flags, and allowed hash algorithms.
When to use this tool
- Verify that DKIM is correctly configured for a domain
- Check key type (RSA vs Ed25519) and approximate key strength
- Discover all active DKIM selectors without knowing them in advance
- Confirm that a key has not been revoked (empty
p=tag)
DKIM Tag Reference
| Tag | Name | Description |
|---|---|---|
v | Version | Always DKIM1 |
k | Key Type | rsa (default) or ed25519 |
p | Public Key | Base64-encoded key; empty = revoked |
t | Flags | y = testing mode; s = no subdomain signing |
h | Hash Algorithms | Accepted algorithms (e.g. sha256) |
s | Service Type | email = email only; * = all |
The Email Authentication Stack
DKIM is the cryptographic layer of email authentication. Combined with SPF, DMARC, and BIMI it forms a complete protection and branding chain for your domain.
| Protocol | What it authenticates | DNS Record | Our Tool |
|---|---|---|---|
| SPF | The sending server's IP address is authorized to send for the domain | TXT at root domain |
SPF Lookup & Generator |
| DKIM | The message was cryptographically signed by an authorized sender and not altered | TXT at {selector}._domainkey.{domain} |
This tool |
| DMARC | SPF/DKIM alignment with the visible From: header — sets enforcement policy and reporting |
TXT at _dmarc.{domain} |
DMARC Lookup & Generator |
| BIMI | Displays the domain's brand logo in supporting email clients once SPF, DKIM, and DMARC all pass | TXT at default._bimi.{domain} |
BIMI Lookup & Generator |
| MX | Where inbound email for the domain should be delivered | MX at root domain |
MX Lookup |
Related Articles
View all articles
DKIM Key Length and Algorithm: Why "Still Validates" Doesn't Mean "Still Recommended"
A DKIM key generated five years ago might still be using RSA-1024 — a length that was acceptable then but has since been "softly" deprecated by major providers, even though signatures using it still technically validate. Here's how to identify your key's algorithm and length from its DNS record, why Ed25519 is the emerging alternative (and why dual-key signing addresses its adoption gap), and why this migration follows the same process as any DKIM key rotation.
DKIM, Mailing Lists, and Forwarding: Why Signatures Break and How ARC Tries to Help
A correctly signed email can fail DKIM verification at the recipient simply because a mailing list added an unsubscribe footer — modifying the signed content. Here's why mailing lists and forwarding break DKIM, how ARC (Authenticated Received Chain) was designed to preserve authentication results through intermediaries, and why SPF and DKIM respond differently to forwarding.
The Complete Email Authentication Audit: How to Check SPF, DKIM, DMARC, PTR, and BIMI
Most organisations have never systematically audited their full email authentication stack. Here's the complete 8-step process: inventorying all sending services, auditing SPF, DKIM, DMARC, PTR, and BIMI, sending a test to verify all pass, and setting up ongoing monitoring.
DKIM Key Rotation, Multiple Selectors, and Debugging Silent Failures
DKIM breaks silently and the symptoms look like spam problems. Here's key rotation without disruption, why DKIM alignment matters for DMARC, multiple selectors for multiple sending sources, and how to debug the most common failure modes.
DKIM Checker — Verify Your Domain's Email Signing Key in DNS
Learn how DKIM works, what a DKIM DNS record contains, how to find your selector, and how to use a free DKIM checker to verify your email signing key is correctly published.
