DKIM Record Checker

Look up and validate DKIM records with key strength analysis and issue detection

What does this tool check?

Selector Discovery

Scans 20+ common DKIM selectors used by popular email providers like Google, Microsoft, Mailchimp, and more.

Key Strength Analysis

Validates RSA key length (1024, 2048, 4096 bit) and flags weak keys that should be upgraded.

Record Validation

Checks for revoked keys, testing mode flags, missing version tags, and other common DKIM issues.

CNAME Resolution

Follows CNAME delegations (used by services like Mailgun and SendGrid) and validates the target record.

What is DKIM?

DomainKeys Identified Mail (DKIM) adds a digital signature to your emails, proving they haven't been tampered with in transit.

Cryptographic email authentication
Prevents message tampering
Required for DMARC alignment
Improves email deliverability

Common Selectors

Popular email services use these DKIM selectors:

google (Google)

selector1 (Microsoft)

k1 (Mailchimp)

s1 (Generic)

mandrill (Mailchimp)

pm (Postmark)

cm (Campaign Monitor)

smtpapi (SendGrid)

What is a DKIM Record?

DomainKeys Identified Mail — the cryptographic signature that proves an email actually came from your domain

A DKIM record is a public RSA key published as a DNS TXT record at selector._domainkey.yourdomain.com. When your email provider sends a message, it signs the headers and body with the matching private key and adds a DKIM-Signature: header. Receiving servers fetch your public key from DNS, verify the signature, and confirm the message has not been tampered with in transit and genuinely came from a sender authorised to use your domain.

DKIM works alongside SPF and DMARC to provide complete email authentication. While SPF says "this IP is allowed to send for my domain," DKIM says "this specific message has not been altered." Most modern email providers (Google Workspace, Microsoft 365, SendGrid, Mailchimp) sign with their own selectors automatically once you publish the public key — but the only way to know it is working is to actually look up the record.

This DKIM checker scans 20+ common selectors (google, selector1, k1, pm, etc.) automatically, follows CNAME delegations, validates the RSA key length, and flags weak keys, revoked keys, or testing-mode flags. Once your DKIM passes, run the DMARC Checker to confirm your full authentication stack is enforced.

A Typical DKIM Record

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBi...

Key Strength Guide

512 / 768 Insecure — cracked routinely

1024 Weak — deprecated by Google in 2026

2048 Recommended minimum

4096 Highest strength (some DNS providers split the record)

How DKIM Authentication Works

The four-step signing and verification flow behind every authenticated email

Generate a Key Pair

You generate an RSA key pair (or use one your email provider generates for you). The private key stays with the sending service; the public key is published as a DNS TXT record at selector._domainkey.yourdomain.com. Use our DKIM Generator if you need to create one manually.

Sign Outgoing Mail

Your mail server hashes selected headers (typically From, Subject, Date) plus the body, signs the hash with the private key, and adds a DKIM-Signature: header naming the selector and signed fields.

Receiver Looks Up Public Key

The receiving server reads the selector and signing domain from the DKIM-Signature: header, performs a DNS lookup for the matching public key, and re-computes the hash using the same algorithm.

Verify the Signature

If the recomputed hash matches the signed value, the receiver knows the message has not been altered and the sender has access to the private key. The result becomes dkim=pass in the Authentication-Results: header — which DMARC then uses for alignment.

Common DKIM Issues to Watch For

Configuration mistakes this checker will flag — and how to fix them

Weak Key Length (1024-bit or below)

Google announced in 2026 that 1024-bit DKIM signatures are deprecated and may stop being honoured. Anything below 2048 bits is considered cryptographically weak. Fix: Generate a new 2048-bit key with our DKIM Generator, publish it under a new selector (e.g. 2026-04), let it propagate for 48 hours alongside the old key, then switch your sending service to use the new selector and retire the old one.

Revoked Key (empty p= tag)

A DKIM record with an empty public key (p=) is the official "revoked" signal — receivers will treat any signature using this selector as invalid. Fix: If this is intentional (you have rotated to a new selector), leave it in place to invalidate replayed messages. If it is unintentional, republish the public key.

Testing Mode Flag (t=y)

The t=y flag tells receivers "this is a test — do not enforce DMARC alignment based on the result." It is fine during initial setup but should be removed once you are confident the signature is working. Fix: Remove the t=y tag from the DKIM record once verification has passed for at least a week.

Wrong or Missing Selector

Each sending service uses a different selector (Google = google, Microsoft 365 = selector1/selector2, Mailchimp = k1). If the checker reports "Not Found" for your provider, the public key was never published or was published at the wrong selector. Fix: Re-check your provider's DKIM setup documentation and confirm the selector matches what they expect.

Automate this: DMARC Busta Autopilot monitors your DKIM records continuously, alerts you when keys go missing, and tracks key rotation across every domain you manage — no more rediscovering broken DKIM weeks after it broke.

Frequently Asked Questions

How do I check my DKIM record?

Enter your domain in the form above. By default the DKIM checker scans 20+ common selectors used by Google, Microsoft 365, Mailchimp, SendGrid, Postmark, Campaign Monitor, and more. If your selector is non-standard, type it into the optional Selector field. You can also check manually with dig TXT selector._domainkey.yourdomain.com from a terminal.

What is a DKIM selector?

A selector is a label that lets one domain publish multiple DKIM keys at once — one per sending service. Google uses google, Microsoft 365 uses selector1 and selector2, Mailchimp uses k1, Postmark uses pm, and so on. The selector appears in the DKIM-Signature: header of every email so receivers know which key to fetch.

How long should my DKIM key be?

2048-bit RSA is the recommended minimum in 2026. Google has begun deprecating 1024-bit signatures, and anything below 1024 (the old 512 and 768-bit keys) is trivially crackable. 4096-bit offers the strongest protection but exceeds the 255-character TXT record limit, so the record must be split into multiple strings — some DNS providers do not support this cleanly. For most use cases, 2048-bit is the right balance.

Why does my DKIM checker say "Not Found"?

Three common reasons: (1) the public key has not been published to DNS yet, (2) it was published under a non-standard selector that is not in our default scan list — try entering the selector manually, or (3) DNS has not propagated yet (allow up to 48 hours after publishing). If your provider uses a CNAME-based DKIM setup (Mailgun, SendGrid), the checker follows the CNAME automatically.

Is this DKIM checker free?

Yes. The DKIM checker is completely free and requires no signup. It performs live DNS lookups, scans 20+ common selectors, validates key strength, and flags issues in seconds. For ongoing DKIM monitoring across multiple domains with automatic alerts when keys break, that is what DMARC Busta does as a managed service.

Related Tools

More free tools to manage your email authentication

Stop Rediscovering Broken DKIM Months Later

DMARC Busta monitors DKIM continuously across every domain you manage, alerts you when keys go missing or get rotated, and tracks key strength — so failed signatures show up in minutes, not months.

Get Started Free