DKIM X-ray

Get instant visibility into every DKIM selector signing for your domain — check key strength, spot missing or revoked records, and clean up unused keys with confidence.

Analyze DKIM Keys

Real Email Signing X-ray

DKIM X-ray goes beyond a one-off record lookup. It correlates your DKIM selectors with actual signing activity from DMARC aggregate reports, showing you exactly which keys are in use, which are stale, and which are missing from DNS.

90-Day Activity Heatmap

Every selector is mapped against 90 days of real signing data from DMARC reports. A visual heatmap shows daily email volume per selector so you see at a glance what is active and what is stale.

Complete Selector Inventory

DKIM X-ray combines selectors observed in DMARC reports with selectors found in your DNS history — covering your domain and all subdomains in one unified view, including CNAME-delegated keys.

Data-Driven Recommendations

Based on real signing patterns and key health, each selector receives an actionable recommendation to keep, review, rotate, revoke, or remove it. Backed by actual data, not guesswork.

The Real Impact for You

DKIM X-ray isn't just diagnostics — it protects your brand reputation, keeps signatures verifiable, and gives your ops team back control and time.

Deliverability You Can Trust

Verified DKIM signatures keep your legitimate mail in your customers inbox, no silent signing failures.

Time Back to Your Team

Stop hunting selectors across providers and DNS zones. Get instant actionables backed by data.

Stronger Domain Security

Weak, revoked, or forgotten keys are flagged before attackers or auditors find them.

Built for Key Rotation

See exactly when old selectors stop signing so you can revoke retired keys safely.

Fix your DKIM now

Deep DKIM Analysis

Comprehensive selector analysis that goes beyond a single record check

Identify weak keys, testing mode, revoked keys, and DNS issues

All selectors of your domain and its subdomains in one view

We combine selectors observed in your DMARC aggregate reports with selectors found in your DNS history. The result is a complete inventory per domain and subdomain — including selectors your email providers configured for you.

Every selector is resolved live in DNS, following CNAME delegation chains, and its public key is parsed and analyzed for weaknesses.

  • Key length and type (RSA 1024/2048-bit, Ed25519)
  • Revoked keys, testing mode (t=y), and multiple records at one selector
  • CNAME targets and selectors signing without a published DNS record

Each finding links to the impacted emails in your DMARC reports, so you can judge the real-world effect before making changes.

DKIM X-ray turns findings into clear next steps: publish missing records, remove duplicate TXT entries, leave testing mode, and upgrade weak RSA keys to 2048 bits. Every recommendation is grounded in the actual signing traffic of your domain.

We correlate DMARC aggregate reports with your DKIM selectors. If a published key hasn't signed any email for 90 days, we mark it as unused and recommend revoking it.

Result: a lean, auditable DKIM setup with strong keys, no forgotten selectors, and a clear rotation trail.

Sign up with your domain to collect DMARC reports and x-ray your DKIM keys.

Get first results on your DKIM key health & fix weak or broken selectors

Use our monitoring and we tell you which keys are unused and can be safely revoked

Sign up

Why DKIM Key Hygiene Matters

DKIM only protects your domain when keys are strong, published correctly, and retired once unused. Most domains accumulate forgotten selectors over the years — each one a liability.

Weak keys get cracked

RSA keys below 1024 bits can be broken, and 1024-bit keys are deprecated. Modern setups sign with 2048-bit keys.

Forgotten selectors

Old vendor keys stay published long after a tool is gone — whoever still holds the private key can sign as your domain.

Rotation best practice

Rotate keys regularly and revoke retired selectors by publishing an empty public key, so old signatures can't be reused.

Bottom line: DKIM X-ray shows which keys are actually signing — so you can rotate and revoke based on data, not hope.

DKIM Questions & Answers

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. Receiving servers verify the signature against a public key published in your DNS, proving the message really comes from your domain and wasn't altered in transit. Without valid DKIM, your emails are more likely to fail DMARC checks and land in spam.

A selector is the label that tells receiving servers where to find your public key in DNS: the key lives at a name like google._domainkey.yourdomain.com. Each sending service typically uses its own selector (like google or selector1), which lets a single domain publish multiple DKIM keys side by side.

Selectors can't be enumerated from DNS alone, which is why forgotten keys are so common. DKIM X-ray solves this by combining two sources: selectors observed signing your email in DMARC aggregate reports, and selectors recorded in your DNS history. The result is a complete inventory across your domain and all subdomains.

Use 2048-bit RSA keys. Keys below 1024 bits are critically insecure and can be cracked, and 1024-bit keys are deprecated and considered weak. DKIM X-ray checks the bit length of every published key and flags any selector that needs an upgrade.

Best practice is to rotate DKIM keys regularly — at least once or twice a year, and immediately if a key may have been exposed. The hard part is knowing when an old selector is safe to retire. DKIM X-ray tracks real signing activity per selector, so you can see when a key has stopped signing and revoke it with confidence.

It means your DMARC reports show emails signed with that selector, but no DKIM record is published at its DNS location. Those signatures cannot be verified, so the emails fail DKIM and may be rejected or quarantined. The usual causes are a deleted DNS record or a sending service that wasn't fully set up.

First confirm the selector has genuinely stopped signing — DKIM X-ray shows the last-seen date and 90-day activity for every selector. Then publish the record with an empty public key (p=) instead of deleting it outright. This explicitly tells receivers the key is revoked and prevents old signatures from being replayed.

Basic DKIM checkers validate a single selector you already know about. DKIM X-ray discovers all selectors from DMARC reports and DNS history, checks key length, CNAME chains, testing mode, and revoked or missing records, maps 90 days of signing activity per selector, and gives keep/review/rotate/revoke recommendations based on real traffic — not just record syntax.

Check your DMARC Setup

DKIM is an integral part of the DMARC framework which ensures that no one can send emails in your name and your emails reach your customers inbox