DKIM Record Checker
Verify your domain's DKIM configuration for email authentication. Check the public key, selector, and key strength to ensure your emails are properly signed.
About this tool
Every email you send can be forged unless you cryptographically prove it's yours. DKIM (DomainKeys Identified Mail) attaches a digital signature to your outgoing messages so receiving servers can verify two things: the email actually came from your domain, and nobody tampered with it in transit. Without DKIM, you're relying on SPF alone, which only checks the sending server's IP — not the message itself.
How DKIM signing works
When your mail server sends an email, it generates a hash of certain headers and the body, then encrypts that hash with your private key. This encrypted hash goes into the DKIM-Signature header. The receiving server looks up your public key via DNS (using the selector and domain from the signature), decrypts the hash, and compares it to its own hash of the message. If they match, DKIM passes.
Your DKIM DNS record lives at selector._domainkey.yourdomain.com — it's a TXT record containing your public key, the key type (usually RSA), and the version (v=DKIM1). The selector lets you have multiple DKIM keys for different services on the same domain.
Why DKIM matters more than you think
Gmail, Yahoo, and Microsoft all weigh DKIM results heavily in their spam filtering. Since February 2024, Google requires DKIM authentication for anyone sending more than 5,000 emails per day to Gmail addresses. But even below that threshold, DKIM failures push your emails toward the spam folder. It's also the only authentication method that survives forwarding — SPF breaks when emails are forwarded because the sending IP changes, but the DKIM signature stays intact.
Common DKIM mistakes
The most frequent issue is publishing a DKIM record with the wrong selector. Each email service uses its own selector — Google Workspace uses "google", Microsoft 365 uses "selector1" and "selector2", SendGrid uses "s1" and "s2". If you put your key under the wrong selector name, every lookup fails silently. Another common mistake: using 512-bit keys. These were deprecated years ago and many receivers reject them outright. Always use 2048-bit keys.
Watch out for line breaks in your DNS record too. Some registrars split long TXT records into multiple strings, and if they do it wrong, the public key becomes invalid. Use our DNS propagation checker to verify your record is published correctly across global nameservers.
DKIM in the bigger authentication picture
DKIM is one leg of a three-part authentication system. SPF verifies the sending IP, DKIM verifies the message integrity, and DMARC ties them together with a policy that tells receivers what to do when checks fail. You need all three. If you're troubleshooting a DKIM failure, grab the raw email headers and run them through our email header analyzer — it'll show you exactly which step failed and why. You can also generate a properly formatted record with our DKIM generator.
Frequently Asked Questions
More Free Tools
View all toolsSPF Record Checker
Ensure your domain is properly authenticated with our SPF record checker. Avoid spoofing and improve inbox placement.
Email Header Analyzer
Analyze email headers to trace routing, check authentication (SPF, DKIM, DMARC), identify delivery delays, and debug email issues. Paste headers from any email client.
DMARC Record Checker
Check your domain's DMARC policy to protect against email spoofing and phishing. Verify your DMARC record configuration and get recommendations for improvement.
MX Record Lookup
Look up MX (Mail Exchange) records for any domain to see which mail servers handle its email. Essential for troubleshooting email delivery and verifying domain configuration.