DKIM Check Tool

Validate DKIM records, check key length, and lookup over 128 selectors.

How to Use the DKIM Checker

DmarcDkim.com checks your domain's DKIM records across 128 common selectors and validates key strength, configuration, and DNS setup.

Enter your domain name and click "Check DKIM" to scan for DKIM records. You can also enter a specific selector in the format selector._domainkey.domain.com

Review the results showing each selector's key type, bit length, and validation status. Warnings highlight weak keys or configuration issues.

Fix any issues found and run a DMARC check to ensure your complete email authentication setup (SPF, DKIM, DMARC) is aligned.

DKIM Cheatsheet

How DKIM Works
1. Sign
Sender hashes the body, then signs selected headers (including the body hash) with the private key and adds a DKIM-Signature header.
2. Publish
Public key goes in DNS TXT at selector._domainkey.domain.com
3. Verify
Receiver fetches public key from DNS using the selector, recomputes the hashes, and verifies the signature.
Record Tags
v
Version. Recommended, must be "DKIM1". Must appear first if present.
p
Public key data (base64). Required. Empty value revokes the key.
k
Key type. Optional, default "rsa". Also "ed25519" per RFC 8463.
h
Hash algorithms. Optional, default allows all. "sha256" only, "sha1" deprecated per RFC 8301.
t
Flags. Optional, default none. "y" = testing mode, "s" = exact domain match.
s
Service type. Optional, default "*" (all). Also "email" to restrict to email only.
n
Notes. Optional. Human-readable text for administrators, no programmatic use.
Best Practices
1. 2048-bit+ RSA keys
Keys under 2048 bits disallowed by NIST since 2014.
2. Rotate every 6-12 months
Limits exposure from compromised keys.
3. Unique selector per service
Separate keys for Google, Microsoft 365, SendGrid, etc.
4. Align with DMARC
Signing domain must match the From header domain.
5. Monitor via DMARC reports
Track DKIM pass/fail across all mail traffic.

Frequently Asked Questions

A DKIM check verifies that your domain has valid DKIM (DomainKeys Identified Mail) records published in DNS. It validates the selector configuration, public key format, key strength (bit length), and flags. A DKIM check helps ensure your emails are properly authenticated and improves deliverability.

A DKIM selector is a label that identifies which DKIM key pair to use for signing and verification. It appears in the DKIM-Signature header of your emails as the s= tag. Common selectors include google, selector1 (Microsoft 365), s1 (Mailchimp), and k1 (Mailgun). DmarcDkim.com automatically checks 128 common selectors, or you can enter a specific one.

To set up DKIM, generate a key pair through your email provider (Google Workspace, Microsoft 365, etc.), then publish the public key as a TXT record in your domain's DNS at selector._domainkey.yourdomain.com. Each email provider has its own selector name and key format. After publishing, use this DKIM checker to verify the record is correct.

Use 2048-bit RSA keys at minimum per RFC 8301, which requires signers to use at least 1024-bit keys and recommends 2048-bit. Verifiers must reject signatures made with keys shorter than 1024 bits. DmarcDkim.com DKIM checker validates key strength and flags keys that are too short.

Common reasons for DKIM check failures include: the DKIM record is not published in DNS, the selector name is incorrect, the DNS record has syntax errors or extra whitespace, the public key has been revoked (empty p= tag), DNS propagation has not completed yet, or the DKIM record exceeds the 255-character TXT record limit and is not properly concatenated.

DKIM, SPF, and DMARC work together to authenticate email. SPF verifies the sending server, DKIM verifies message integrity and sender identity, and DMARC ties them together with a policy. For DMARC to pass, at least one of SPF or DKIM must pass and align with the From domain. Setting up all three provides the strongest email authentication.

Check your DKIM records whenever you add or change an email sending service, after DNS changes, and as part of regular security audits (at least quarterly). Continuous monitoring through a DMARC dashboard provides real-time visibility into DKIM authentication results across all your email traffic.

SPF X-ray

Connect your domain and get a deep SPF analysis based on your DMARC data. The only reliable way to fix the 10 DNS lookup limit and increase your deliverability.

DMARC Checker

Prevent others from sending fake emails using your domain name. Check your DMARC configuration and follow the step-by-step guide for full protection.

To help us grow, please upvote DmarcDkim.com

DmarcDkim.com - Hassle-free DMARC solution | Product Hunt