DKIM Record Checker

Every email you send can be forged unless you cryptographically prove it's yours. DKIM (DomainKeys Identified Mail) attaches a digital signature to your outgoing messages so receiving servers can verify two things: the email actually came from your domain, and nobody tampered with it in transit. Without DKIM, you're relying on SPF alone, which only checks the sending server's IP — not the message itself.

How DKIM signing works

When your mail server sends an email, it generates a hash of certain headers and the body, then encrypts that hash with your private key. This encrypted hash goes into the DKIM-Signature header. The receiving server looks up your public key via DNS (using the selector and domain from the signature), decrypts the hash, and compares it to its own hash of the message. If they match, DKIM passes.

Your DKIM DNS record lives at selector._domainkey.yourdomain.com — it's a TXT record containing your public key, the key type (usually RSA), and the version (v=DKIM1). The selector lets you have multiple DKIM keys for different services on the same domain.

Why DKIM matters more than you think

Gmail, Yahoo, and Microsoft all weigh DKIM results heavily in their spam filtering. Since February 2024, Google requires DKIM authentication for anyone sending more than 5,000 emails per day to Gmail addresses. But even below that threshold, DKIM failures push your emails toward the spam folder. It's also the only authentication method that survives forwarding — SPF breaks when emails are forwarded because the sending IP changes, but the DKIM signature stays intact.

Common DKIM mistakes

The most frequent issue is publishing a DKIM record with the wrong selector. Each email service uses its own selector — Google Workspace uses "google", Microsoft 365 uses "selector1" and "selector2", SendGrid uses "s1" and "s2". If you put your key under the wrong selector name, every lookup fails silently. Another common mistake: using 512-bit keys. These were deprecated years ago and many receivers reject them outright. Always use 2048-bit keys.

Watch out for line breaks in your DNS record too. Some registrars split long TXT records into multiple strings, and if they do it wrong, the public key becomes invalid. Use our DNS propagation checker to verify your record is published correctly across global nameservers.

DKIM in the bigger authentication picture

DKIM is one leg of a three-part authentication system. SPF verifies the sending IP, DKIM verifies the message integrity, and DMARC ties them together with a policy that tells receivers what to do when checks fail. You need all three. If you're troubleshooting a DKIM failure, grab the raw email headers and run them through our email header analyzer — it'll show you exactly which step failed and why. You can also generate a properly formatted record with our DKIM generator.