DKIM Record Checker
Look up DKIM public keys by selector, verify key sizes against RFC 8301, and check algorithm compliance.
What is DKIM?
DomainKeys Identified Mail (DKIM) is an email authentication protocol defined in RFC 6376. It allows a sending mail server to cryptographically sign outgoing messages using a private key. The corresponding public key is published in a DNS TXT record at <selector>._domainkey.<domain>. Receiving servers retrieve the public key, verify the signature, and confirm the message was not altered in transit.
RFC 8301 updated cryptographic requirements: RSA keys must be at least 1024 bits (2048 recommended), and the rsa-sha1 algorithm is prohibited. RFC 8463 added support for Ed25519-SHA256, which provides strong security with much smaller keys (256 bits).
Common issues include using the wrong selector, expired or rotated keys, keys shorter than 1024 bits, and leaving the t=y testing flag on in production. Each provider uses its own selector -- check the s= tag in the DKIM-Signature email header to find the correct one.
DKIM Record Tags
| Tag | Required | Description |
|---|---|---|
v | Recommended | Version. Must be DKIM1 if present. |
p | Yes | Base64-encoded public key. Empty value means revoked. |
k | No | Key type: rsa (default) or ed25519. |
h | No | Acceptable hash algorithms (e.g. sha256). |
s | No | Service type: * (all, default) or email. |
t | No | Flags: y = testing, s = strict alignment. |
Read the complete DKIM guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free