DKIM Record Checker
Look up and validate your domain's DKIM signing key in seconds. This tool queries the DNS record for any selector, parses all tags, checks key size against RFC 8301, and flags common misconfigurations.
How DKIM Works
What is DKIM?
DomainKeys Identified Mail (DKIM) is an email authentication protocol defined in RFC 6376. It allows a sending mail server to cryptographically sign outgoing messages using a private key. The corresponding public key is published in a DNS TXT record. Receiving servers retrieve the public key, verify the signature, and confirm the message was not altered in transit and truly originates from the claimed domain.
DKIM DNS Record Tags
A DKIM public key record is a DNS TXT record published at
<selector>._domainkey.<domain>. Its value is a
semicolon-delimited list of tag=value pairs.
| Tag | Required | Description |
|---|---|---|
v | Recommended | Version. Must be DKIM1 if present. Implied when omitted. |
p | Yes | Base64-encoded public key. An empty value means the key has been revoked. |
k | No | Key type. rsa (default) or ed25519 (RFC 8463). |
h | No | Acceptable hash algorithms (e.g. sha256). Defaults
to allowing all. |
s | No | Service type. * (all services, default) or email. |
t | No | Flags. y = testing mode, s = strict domain
alignment. |
n | No | Human-readable notes. Not interpreted by verifiers. |
Key Size Requirements
RFC 8301 updated DKIM cryptographic requirements:
- RSA keys must be at least 1024 bits. Keys shorter than 1024 bits must not be used.
- RSA keys should be at least 2048 bits for long-term security. Most providers now default to 2048-bit keys.
-
The
rsa-sha1algorithm is prohibited. Signers and verifiers must usersa-sha256. - RFC 8463 added support for Ed25519-SHA256 (
k=ed25519), which provides strong security with much smaller keys (256 bits).
Common DKIM Selectors
Each email provider uses its own DKIM selector. Here are the most common ones:
| Provider | Selector(s) |
|---|---|
| Google Workspace | google |
| Microsoft 365 | selector1, selector2 |
| Amazon SES | *.dkim.amazonses.com (CNAME-based, auto-generated) |
| SendGrid | s1, s2 |
| Mailchimp | k1 |
| Postmark | 20240913 (date-based) |
| Zoho Mail | zoho |
| Fastmail | fm1, fm2, fm3 |
| ProtonMail | protonmail, protonmail2 |
Common DKIM Issues
- Wrong selector
-
DKIM records are published under a specific selector. If you query the
wrong selector you will get no record, even if DKIM is properly
configured. Check your email headers for the
s=tag in theDKIM-Signatureheader to find the correct selector. - Expired or rotated keys
-
When keys are rotated, the old selector's record may be removed or
revoked (empty
p=tag). Emails signed with the old key will fail DKIM verification. Always keep the old key published for a transition period. - Key too short
- Keys shorter than 1024 bits are rejected by many verifiers (RFC 8301). Legacy 512-bit keys offer no real security. Upgrade to 2048-bit RSA or Ed25519.
- Testing mode left on
-
The
t=yflag tells verifiers the domain is testing DKIM and failures should not be treated as definitive. Leaving this flag on in production weakens your DKIM enforcement. - DNS record too long
- A single DNS TXT record string is limited to 255 characters. Longer DKIM keys (e.g. 2048-bit RSA) must be split across multiple strings within the same TXT record. Misconfigured splits cause parsing failures.