Skip to main content
DKIM

DKIM Record Checker

Free DKIM checker — look up your DKIM record by selector, validate the public key against RFC 8301, and check the signing algorithm. Instant results, no signup.

Common selectors:

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication protocol defined in RFC 6376. It allows a sending mail server to cryptographically sign outgoing messages using a private key. The corresponding public key is published in a DNS TXT record at <selector>._domainkey.<domain>. Receiving servers retrieve the public key, verify the signature, and confirm the message was not altered in transit.

RFC 8301 updated cryptographic requirements: RSA keys must be at least 1024 bits (2048 recommended), and the rsa-sha1 algorithm is prohibited. RFC 8463 added support for Ed25519-SHA256, which provides strong security with much smaller keys (256 bits).

Common issues include using the wrong selector, expired or rotated keys, keys shorter than 1024 bits, and leaving the t=y testing flag on in production. Each provider uses its own selector -- check the s= tag in the DKIM-Signature email header to find the correct one. Many ESPs (Mailchimp, SendGrid, Postmark, Mailgun) publish the public key via a CNAME at selector._domainkey pointing back at their hosted record — verify the alias chain with the CNAME record lookup.

DKIM Record Tags

Tag Required Description
v Recommended Version. Must be DKIM1 if present.
p Yes Base64-encoded public key. Empty value means revoked.
k No Key type: rsa (default) or ed25519.
h No Acceptable hash algorithms (e.g. sha256).
s No Service type: * (all, default) or email.
t No Flags: y = testing, s = strict alignment.

DKIM setup guides by provider

Walk-through guides with the exact records, admin-UI steps, and common-mistake fixes for each provider we cover.

Frequently asked questions

How do I check my DKIM record?

Enter your domain and DKIM selector (for example google or s1). The checker queries <selector>._domainkey.<domain>, retrieves the public key, and reports the key type, key size, and any RFC 8301 issues such as keys under 1024 bits or the prohibited rsa-sha1 algorithm.

What is a DKIM selector?

A selector is a short label that lets a domain publish several DKIM keys at once. It forms the lookup name <selector>._domainkey.<domain>. Your provider assigns it — common values are google, selector1, k1, and dkim. Find yours in the s= tag of a received message's DKIM-Signature header.

Why is my DKIM record not found?

Usually a wrong selector, the record published at the apex instead of <selector>._domainkey, a CNAME that has not propagated, or the provider not having generated keys yet. Confirm the exact selector from a sent message's DKIM-Signature header, then re-check.

Can I check DKIM without a selector?

Not directly. DKIM keys live at <selector>._domainkey.<domain>, and DNS offers no way to list selectors, so you must supply one. Find it in the s= tag of a received message's DKIM-Signature header, or try common selectors like google, selector1, s1, and k1.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free

or compare plans