DKIM Checker
Verify your DKIM TXT record by selector. Confirm that your DKIM public key is published correctly to improve email authentication and deliverability.
Use DKIM Checker in 4 Steps
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication standard that lets receiving mail servers verify that an email was actually sent and authorised by the domain owner. It works by adding a cryptographic signature to each outgoing message — the receiving server then fetches the sender's public key from DNS and checks whether the signature is valid.
DKIM protects against message tampering in transit and is one of three core email authentication layers alongside SPF and DMARC. Without a valid DKIM signature, DMARC alignment cannot be achieved through DKIM, which weakens your domain's anti-spoofing posture.
How DKIM Works
When you send an email, your mail server signs specific headers and the message body using a private key. The signature is embedded in a DKIM-Signature header. The receiving server extracts the domain and selector from that header, fetches the public key from DNS at <selector>._domainkey.<domain>, and verifies the signature.
A selector is simply a label that points to the correct public key. Using selectors allows you to have multiple DKIM keys simultaneously — one per sending service, or to rotate keys without disrupting delivery.
DKIM Record Tag Reference
The table below shows every tag you will encounter inside a DKIM TXT record (at <selector>._domainkey.<domain>):
| Tag | Required | Description |
|---|---|---|
v= | Yes | Version — always DKIM1 |
p= | Yes | Base64-encoded RSA public key. Empty string (p=) means the key is revoked |
k= | No | Key type — default rsa. Use ed25519 for EdDSA keys |
h= | No | Acceptable hash algorithms — e.g. sha256. Deprecated sha1 should be removed |
s= | No | Service type — * means all services, email restricts to email only |
t= | No | Flags — y means testing mode (receivers should not reject); s means strict subdomain policy |
n= | No | Notes — human-readable comment, ignored by verifiers |
A minimal valid record looks like:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...
Common DKIM Selectors by Provider
Your email provider specifies which selector to use. If you are unsure, check your provider's DKIM setup documentation.
| Provider | Common Selector |
|---|---|
| Google Workspace | google |
| Microsoft 365 | selector1, selector2 |
| Mailchimp | k1 |
| SendGrid | s1, s2 |
| Amazon SES | amazonses |
| Postmark | 20221208, date-format |
| Mailgun | krs, pic |
| Generic | mail, default, dkim |
Verify DKIM in the CLI
Use dig or nslookup to fetch the DKIM record directly from DNS before relying on any tool output:
# Fetch DKIM record for Google Workspace selector
dig TXT google._domainkey.example.com +short
# Fetch Microsoft 365 selector 1
dig TXT selector1._domainkey.example.com +short
# Fetch a specific selector via a chosen resolver
dig @1.1.1.1 TXT mail._domainkey.example.com +short
# Check if selector returns NXDOMAIN (not published)
dig TXT selector1._domainkey.example.com
A correctly published record returns a TXT string starting with v=DKIM1. If dig returns NXDOMAIN or no answer, the record has not been published under that selector.
Common DKIM Errors and Fixes
| Error | Likely Cause | Fix |
|---|---|---|
| No record found | Wrong selector, or record not published yet | Confirm selector with your provider; allow up to 24–48h for propagation |
p= is empty | Key has been revoked deliberately | Republish a new key pair from your sending provider |
| Signature verification failed | Private/public key mismatch after key rotation | Re-generate the key pair and republish the public key in DNS |
t=y flag present | Domain is in DKIM testing mode | Remove t=y once you confirm delivery is working |
| CNAME instead of TXT | Some providers use CNAME for DKIM | This is valid — the CNAME points to the provider's hosted record |
| Multiple TXT values under one selector | Misconfigured zone | Each selector must have exactly one TXT record |
What Happens Without DKIM
If you send email without DKIM, or with a broken signature:
- Receiving servers cannot cryptographically verify your messages
- DMARC alignment through DKIM fails, leaving only SPF alignment
- Messages are more likely to land in spam or be rejected by strict policies
- Gmail, Yahoo, and Microsoft may apply additional scrutiny to unsigned mail
A domain operating at p=reject DMARC without DKIM will still pass via SPF — but any forwarding scenario that breaks the SPF chain will result in unauthenticated mail.
Frequently Asked Questions
Q: What is a DKIM selector and where do I find mine?
A: A selector is the label before ._domainkey. in the DNS record name. Your email provider shows it when you enable DKIM — look in provider settings under DKIM, email authentication, or domain verification. Common selectors include google, selector1, mail, k1, and s1.
Q: Can I have multiple DKIM records on the same domain?
A: Yes. Each sending service gets its own selector, so you can have google._domainkey.example.com for Google Workspace and selector1._domainkey.example.com for Microsoft 365 on the same domain simultaneously. This is the recommended approach.
Q: Why does my DKIM record not appear in DNS? A: The three most common causes are: (1) you used the wrong selector — double-check with your provider; (2) you published the record on the wrong domain (subdomain vs root); (3) DNS propagation has not completed — wait up to 48 hours and check via multiple resolvers.
Q: What key length should I use for DKIM? A: Use RSA-2048 as a minimum. RSA-1024 keys are considered weak and rejected by some receiving servers. EdDSA (ed25519) is also supported and produces shorter records with equivalent security. Check what key lengths your sending provider supports before generating a new key pair.
Q: Is DKIM enough to stop my emails from going to spam? A: DKIM alone is not sufficient. DKIM handles cryptographic identity, but inbox placement depends on SPF, DMARC, sending reputation, content quality, and engagement signals. A complete email authentication stack requires all three: SPF to authorise sending IPs, DKIM to sign messages, and DMARC to enforce policy.
Q: What does the t=y testing flag mean?
A: When t=y is set in the DKIM record, the key is in testing mode. Receiving servers are instructed to treat verification failures as if the key does not exist — they should not reject or penalise the message. Remove the t=y flag once you have confirmed DKIM is working correctly.
Related Tools
- SPF Record Checker — Validate SPF sender authorisation records
- DMARC Checker — Check DMARC policy, alignment, and reporting tags
- MX Record Lookup — Confirm inbound mail routing and server priorities
- SMTP Test — Diagnose SMTP port availability and email sending signals
Frequently Asked Questions
Get guides like this by email
DNS, email auth, and security playbooks delivered when they publish. No spam.