HomeEmail ToolsDKIM Checker
Email Tool

DKIM Checker

Verify your DKIM TXT record by selector. Confirm that your DKIM public key is published correctly to improve email authentication and deliverability.

Location
<selector>._domainkey.<domain>
DKIM is selector-based.
Key tag
p= (public key)
A missing p= breaks DKIM.
Waiting for input
Enter a domain, then press Check
How to Use

Use DKIM Checker in 4 Steps

01
Enter domain
Type the domain you send email from (e.g. example.com).
02
Enter selector
Use the selector provided by your email service (e.g. google).
03
Check DKIM
We query <selector>._domainkey.<domain> for a v=DKIM1 TXT record.
04
Confirm publish
Make sure the record exists and includes a valid p= public key.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication standard that lets receiving mail servers verify that an email was actually sent and authorised by the domain owner. It works by adding a cryptographic signature to each outgoing message — the receiving server then fetches the sender's public key from DNS and checks whether the signature is valid.

DKIM protects against message tampering in transit and is one of three core email authentication layers alongside SPF and DMARC. Without a valid DKIM signature, DMARC alignment cannot be achieved through DKIM, which weakens your domain's anti-spoofing posture.

How DKIM Works

When you send an email, your mail server signs specific headers and the message body using a private key. The signature is embedded in a DKIM-Signature header. The receiving server extracts the domain and selector from that header, fetches the public key from DNS at <selector>._domainkey.<domain>, and verifies the signature.

A selector is simply a label that points to the correct public key. Using selectors allows you to have multiple DKIM keys simultaneously — one per sending service, or to rotate keys without disrupting delivery.

DKIM Record Tag Reference

The table below shows every tag you will encounter inside a DKIM TXT record (at <selector>._domainkey.<domain>):

TagRequiredDescription
v=YesVersion — always DKIM1
p=YesBase64-encoded RSA public key. Empty string (p=) means the key is revoked
k=NoKey type — default rsa. Use ed25519 for EdDSA keys
h=NoAcceptable hash algorithms — e.g. sha256. Deprecated sha1 should be removed
s=NoService type — * means all services, email restricts to email only
t=NoFlags — y means testing mode (receivers should not reject); s means strict subdomain policy
n=NoNotes — human-readable comment, ignored by verifiers

A minimal valid record looks like:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...

Common DKIM Selectors by Provider

Your email provider specifies which selector to use. If you are unsure, check your provider's DKIM setup documentation.

ProviderCommon Selector
Google Workspacegoogle
Microsoft 365selector1, selector2
Mailchimpk1
SendGrids1, s2
Amazon SESamazonses
Postmark20221208, date-format
Mailgunkrs, pic
Genericmail, default, dkim

Verify DKIM in the CLI

Use dig or nslookup to fetch the DKIM record directly from DNS before relying on any tool output:

# Fetch DKIM record for Google Workspace selector
dig TXT google._domainkey.example.com +short

# Fetch Microsoft 365 selector 1
dig TXT selector1._domainkey.example.com +short

# Fetch a specific selector via a chosen resolver
dig @1.1.1.1 TXT mail._domainkey.example.com +short

# Check if selector returns NXDOMAIN (not published)
dig TXT selector1._domainkey.example.com

A correctly published record returns a TXT string starting with v=DKIM1. If dig returns NXDOMAIN or no answer, the record has not been published under that selector.

Common DKIM Errors and Fixes

ErrorLikely CauseFix
No record foundWrong selector, or record not published yetConfirm selector with your provider; allow up to 24–48h for propagation
p= is emptyKey has been revoked deliberatelyRepublish a new key pair from your sending provider
Signature verification failedPrivate/public key mismatch after key rotationRe-generate the key pair and republish the public key in DNS
t=y flag presentDomain is in DKIM testing modeRemove t=y once you confirm delivery is working
CNAME instead of TXTSome providers use CNAME for DKIMThis is valid — the CNAME points to the provider's hosted record
Multiple TXT values under one selectorMisconfigured zoneEach selector must have exactly one TXT record

What Happens Without DKIM

If you send email without DKIM, or with a broken signature:

  • Receiving servers cannot cryptographically verify your messages
  • DMARC alignment through DKIM fails, leaving only SPF alignment
  • Messages are more likely to land in spam or be rejected by strict policies
  • Gmail, Yahoo, and Microsoft may apply additional scrutiny to unsigned mail

A domain operating at p=reject DMARC without DKIM will still pass via SPF — but any forwarding scenario that breaks the SPF chain will result in unauthenticated mail.

Frequently Asked Questions

Q: What is a DKIM selector and where do I find mine? A: A selector is the label before ._domainkey. in the DNS record name. Your email provider shows it when you enable DKIM — look in provider settings under DKIM, email authentication, or domain verification. Common selectors include google, selector1, mail, k1, and s1.

Q: Can I have multiple DKIM records on the same domain? A: Yes. Each sending service gets its own selector, so you can have google._domainkey.example.com for Google Workspace and selector1._domainkey.example.com for Microsoft 365 on the same domain simultaneously. This is the recommended approach.

Q: Why does my DKIM record not appear in DNS? A: The three most common causes are: (1) you used the wrong selector — double-check with your provider; (2) you published the record on the wrong domain (subdomain vs root); (3) DNS propagation has not completed — wait up to 48 hours and check via multiple resolvers.

Q: What key length should I use for DKIM? A: Use RSA-2048 as a minimum. RSA-1024 keys are considered weak and rejected by some receiving servers. EdDSA (ed25519) is also supported and produces shorter records with equivalent security. Check what key lengths your sending provider supports before generating a new key pair.

Q: Is DKIM enough to stop my emails from going to spam? A: DKIM alone is not sufficient. DKIM handles cryptographic identity, but inbox placement depends on SPF, DMARC, sending reputation, content quality, and engagement signals. A complete email authentication stack requires all three: SPF to authorise sending IPs, DKIM to sign messages, and DMARC to enforce policy.

Q: What does the t=y testing flag mean? A: When t=y is set in the DKIM record, the key is in testing mode. Receiving servers are instructed to treat verification failures as if the key does not exist — they should not reject or penalise the message. Remove the t=y flag once you have confirmed DKIM is working correctly.

Related Tools

Frequently Asked Questions

What is a DKIM selector?
A selector is a label used to locate the DKIM public key in DNS, like selector1._domainkey.example.com.
Where do I find my DKIM selector?
Your email provider shows the selector when you enable DKIM. Common selectors include google, mail, selector1, and s1.
Can I have multiple DKIM records?
Yes. You can have multiple selectors, which is useful for key rotation or multiple providers.
Why doesn't my DKIM record show up?
Common causes include using the wrong selector, publishing the record under the wrong domain, or DNS not updated yet.
How long does DKIM take to propagate?
It depends on TTL and caching. Many changes appear within minutes to hours, but some resolvers may take longer.
Selector Examples
google
selector1
mail
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.