Look up and validate DKIM DNS records for any domain. Verify public key configuration, check selector records, and ensure your email signatures are properly authenticated.
DomainKeys Identified Mail (DKIM) is a cryptographic email authentication method that allows a domain to take responsibility for a message by signing it with a digital signature. Alongside SPF and DMARC, DKIM forms one of the three pillars of modern email security. While SPF verifies that a message came from an authorised server, DKIM goes further by proving the message content hasn't been altered in transit.
DKIM works using public-key cryptography. When your mail server sends an email, it generates a cryptographic hash of the message headers and body, then encrypts that hash using a private key stored securely on your server. This encrypted hash becomes the DKIM signature, added as a DKIM-Signature header to the outgoing email. The receiving mail server extracts the selector and domain from this header, queries DNS for the corresponding public key at selector._domainkey.yourdomain.com, and uses it to decrypt and verify the signature.
Each email provider uses specific DKIM selectors. Google Workspace uses google, Microsoft 365 uses selector1 and selector2, Mailchimp uses k1, and SendGrid uses s1 and s2. Understanding which selectors your services use is essential for verifying DKIM is correctly configured, since a lookup against the wrong selector will fail even if your keys are perfectly valid.
DKIM has a direct impact on email deliverability. Major mailbox providers like Gmail, Outlook, and Yahoo use DKIM validation as a key signal in their spam filtering algorithms. Emails that pass DKIM verification are significantly more likely to land in the inbox rather than the spam folder. Google has explicitly stated that bulk senders must have valid DKIM authentication, and Yahoo has followed with similar requirements. Without DKIM, your legitimate marketing emails and transactional messages are at high risk of being filtered or rejected entirely.
A properly configured DKIM record uses at minimum a 2048-bit RSA key for robust security, though 1024-bit keys remain common in legacy setups. The DKIM record itself is a DNS TXT record containing the version tag (v=DKIM1), key type (k=rsa), and the base64-encoded public key (p=...). For a complete view of your domain's email authentication posture, combine this DKIM record checker with a full domain security scan.
Type your domain name in the search box above. No need to add "www" or "https", just the bare domain like example.com.
We probe common DKIM selectors used by major providers (google, selector1, selector2, s1, s2, k1, and more) to find published DKIM records for your domain.
Each discovered DKIM record is parsed and validated: we check the key type, key size (1024 vs 2048-bit), syntax correctness, and whether the public key is properly formatted.
You receive a grade from A+ to F along with specific guidance on upgrading key sizes, fixing misconfigurations, or adding missing DKIM records.
Whether you need a DKIM checker for Google Workspace, Microsoft 365, or any other email provider, our online DKIM checker handles them all. Simply enter your domain and we'll automatically probe the most common selectors, so there's no need to know your selector in advance. For Google Workspace domains, we check the google._domainkey record; for Microsoft 365, both selector1._domainkey and selector2._domainkey.
A DKIM key lookup reveals the public key your domain publishes for email verification. Our checker decodes the base64-encoded key, analyses the RSA key length, and flags any records using outdated 512-bit or 768-bit keys that offer minimal security. We also detect common issues like empty p= tags (which indicate a revoked key) and missing version tags that may cause compatibility problems with strict validators.
Running an online DKIM checker regularly is essential maintenance, especially after DNS migrations, email provider changes, or adding new sending services like marketing platforms and transactional email providers. Each new service typically requires its own DKIM selector and key pair, and forgetting to publish the DNS record is one of the most common causes of DKIM failures.
A DKIM (DomainKeys Identified Mail) record is a DNS TXT record that publishes the public key used to verify email signatures. When your mail server sends an email, it signs the message headers and body with a private key. The receiving server then retrieves your DKIM public key from DNS and uses it to verify the signature, confirming the message hasn't been tampered with and genuinely originated from your domain. DKIM is a critical component of email authentication alongside SPF and DMARC.
DKIM records are stored as DNS TXT records at a specific subdomain following the format selector._domainkey.yourdomain.com. Unlike SPF which sits directly on the root domain, DKIM uses selectors (unique identifiers chosen by your email provider) to allow multiple DKIM keys per domain. To look up your DKIM record, you need to know the selector your provider uses. You can find this by checking the "DKIM-Signature" header in any email sent from your domain, which includes a "s=" tag containing the selector name.
DKIM works best alongside SPF and DMARC. Run a full domain scan to verify all three protocols plus SSL, DNSSEC, and headers.
Each email provider uses their own default DKIM selectors. Google Workspace uses "google" as its selector (google._domainkey.yourdomain.com). Microsoft 365 uses "selector1" and "selector2" for key rotation. Mailchimp uses "k1", SendGrid uses "s1" and "s2", Amazon SES uses a unique token-based selector, and Zoho Mail uses "zoho" or "zmail". When checking DKIM, always verify which selector(s) your provider requires, because using the wrong selector will result in a lookup failure even if your record is correctly configured.
A 2048-bit RSA key is the current recommended minimum for DKIM. While 1024-bit keys are still technically valid and widely used, they are considered increasingly vulnerable as computing power grows. Security researchers have demonstrated that 1024-bit keys could be factored with sufficient resources. 2048-bit keys provide a significantly larger security margin. The only downside is that 2048-bit keys are too long for a single DNS TXT record string (255 characters), so they must be split across multiple strings within the same record. Most modern DNS providers handle this automatically.
To add a DKIM record, first generate a DKIM key pair through your email provider or mail server, which will give you the public key to publish. Then log in to your DNS hosting provider and create a new TXT record with the host/name set to "selector._domainkey" (replacing "selector" with your provider's chosen selector, e.g., "google._domainkey"). Set the value to the public key string provided, which typically starts with "v=DKIM1; k=rsa; p=" followed by the base64-encoded key. Save the record, wait for DNS propagation (usually 5–60 minutes), then use a DKIM record checker to verify it's published correctly.