DNS · DKIM · Free tool

    DKIM Checker

    Check the DKIM public key for any domain + selector — see key type, flags, and revocation status.

    DMARCSPFDKIMBlocklistMX
    Common selectors:

    About the dkim record checker

    DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email that lets receivers verify the message wasn't modified in transit and that it really came from a server authorized by your domain. The signature is signed with a private key held by your sending infrastructure; the matching public key lives in DNS at `<selector>._domainkey.<domain>`.

    This checker fetches that TXT record for a given domain and selector, parses the public-key blob, validates that it's well-formed RSA or Ed25519, and reports the key length. It catches the three most common DKIM problems: a missing selector (mail signed but the signature can't be verified), a truncated key (most TXT-record providers split keys at 255 chars and some misjoin them), and a revoked key still in DNS.

    Use it when you've just rotated keys, when a deliverability tool reports DKIM failures, or when you want to verify a vendor's setup matches what they told you.

    How it works

    • Resolves the TXT record at `<selector>._domainkey.<domain>`.
    • Parses the DKIM public-key tags per RFC 6376: `v=`, `k=`, `t=`, `p=`.
    • Validates the public-key blob as base64-decodable and as a valid RSA or Ed25519 public key.
    • Reports key length (1024, 2048, or 4096 for RSA; 256 for Ed25519) and flags 1024-bit keys as legacy.
    • Detects revocation (empty `p=` value), test mode (`t=y`), and absent selectors.

    Frequently asked questions

    What is a DKIM record?

    A DKIM record is a TXT DNS record at `<selector>._domainkey.<your-domain>` that holds the public key matching the private key your mail server uses to sign outgoing messages. Receivers fetch this public key to verify the signature on each incoming message.

    What is a DKIM selector?

    The selector is a label that lets you publish multiple DKIM keys for the same domain — e.g. one per sending service, one per rotation generation. Sending servers stamp the selector into the `s=` tag of each signature so receivers know which DNS record to fetch. Common selectors: `google` for Google Workspace, `s1`/`s2` for many ESPs, `selector1`/`selector2` for Microsoft 365.

    How do I find my DKIM selector?

    Check the `s=` tag in the `DKIM-Signature` header of any email you've sent — most email clients can show full headers. Alternatively, your sending provider's docs list the selectors they use. There's no way to guess every selector in DNS; you have to know which one(s) your sender uses.

    Should I use 1024-bit or 2048-bit DKIM keys?

    2048-bit. Google deprecated 1024-bit keys for compliance with the NIST SP 800-57 guidance, and most modern senders default to 2048. Some older DNS providers can't store 2048-bit keys in a single TXT segment — you may need to publish the key as multiple quoted strings concatenated by the resolver.

    Why does my DKIM check fail?

    Common causes: (1) wrong selector queried; (2) provider hasn't published the public key yet (wait for DNS TTL); (3) the TXT record was split incorrectly when entered into a DNS UI that doesn't handle long values; (4) the key has been revoked (empty `p=`); (5) DKIM signature in the email used a different domain via `d=` tag than the one being checked.