DKIM Checker
Look up a domain's DKIM public key for a given selector and validate it - key type, key length, revocation status and record syntax - straight from DNS.
About DKIM Checker
DKIM (DomainKeys Identified Mail) lets a sending server attach a cryptographic signature to outgoing email. The matching public key is published in DNS as a TXT record at a special name: selector._domainkey.domain. When a receiving server verifies a message, it reads the selector from the message's DKIM-Signature header, fetches that TXT record, and uses the public key to confirm the signature. A valid DKIM signature proves the message was authorised by the domain and was not altered after signing.
This checker asks you for the domain and the selector, then queries the corresponding record from our EU servers. It parses the DKIM tags - notably k= (key type, defaulting to RSA) and p= (the base64 public key) - and does more than a raw lookup: it decodes the key material and reports the actual RSA modulus length. An empty p= value is flagged as a revoked key, keys under 1024 bits are called out as trivially breakable, and keys under 2048 bits raise a warning since 2048-bit RSA is the current baseline. Ed25519 keys, the modern short-key alternative, are recognised by their k=ed25519 tag.
The selector is the part most people get stuck on: it is chosen freely by the sending system, so there is no single record to check. You find it in the s= field of a DKIM-Signature header on a real message from the domain, or in your mail provider's setup documentation. Common selectors include google for Google Workspace, selector1 and selector2 for Microsoft 365, s1 and s2 for many providers, k1 for Mailchimp, and default. A domain can run several selectors at once, one per sending service.
Because the record is fetched by our own resolvers rather than a third-party validator, the domains and selectors you test stay on our EU infrastructure and are not logged or passed to any external service.
How to use it
- 1Enter the domain that sends the mail you want to verify, for example example.eu.
- 2Enter the DKIM selector - take it from the s= tag of a DKIM-Signature header, or your mail provider's DNS instructions.
- 3Run the check to fetch the TXT record at selector._domainkey.domain.
- 4Review the reported key type and key length, and read any warnings about weak (under 2048-bit) or revoked keys.
- 5Repeat with each selector your senders use - Microsoft 365 and Google, for instance, publish different selectors.
Common use cases
- -Confirm a newly published DKIM record resolves and parses correctly before switching a mail flow live.
- -Diagnose why messages fail DKIM verification at the recipient by inspecting the published key.
- -Audit key strength and replace legacy 1024-bit RSA keys with 2048-bit or Ed25519 keys.
- -Detect a revoked key (empty p= tag) that is silently breaking authentication.
- -Check every selector across multiple sending platforms when consolidating or migrating email services.
Frequently asked questions
- What is a DKIM record?
- A DKIM record is a DNS TXT record holding the public key that receivers use to verify a domain's email signatures. It is published at selector._domainkey.domain and pairs with the private key held by the sending mail server.
- How do I find my DKIM selector?
- Open the raw headers of a real message from the domain and read the s= value in the DKIM-Signature line - that is the selector. Alternatively, check your email provider's DNS setup guide, since selectors are provider-specific.
- Why does the checker say no DKIM record was found?
- Almost always the selector is wrong or the record was never published. DKIM lookups only work for the exact selector a sender uses, so a valid domain with the wrong selector returns nothing.
- What key length should a DKIM record use?
- At least 2048-bit RSA, which is today's baseline. Keys under 1024 bits are considered breakable, and Ed25519 is a strong modern alternative that produces a much shorter published key.
- What does an empty p= tag mean?
- An empty p= value signals that the key has been revoked. Any signature made with the matching private key will fail verification, so a live selector should never have an empty p= tag.