DKIM Checker

Verify your DKIM email signing configuration

Share:

Check DKIM Record

Common selectors: google, default, selector1, selector2, k1, s1, dkim, mail

Verify Your DKIM Email Signing

Ensure your emails are properly signed with DKIM to improve deliverability and prevent spoofing

DKIM (DomainKeys Identified Mail) adds a digital signature to your outgoing emails, allowing receiving mail servers to verify that the email was truly sent by your domain and wasn't tampered with in transit. Our checker validates your DKIM record for any selector.

What This Tool Checks

DKIM Record Lookup

Queries the selector._domainkey.domain DNS TXT record.

Public Key Validation

Verifies the presence and validity of the public key (p= tag).

Key Type

Identifies the key type (RSA, Ed25519) used for signing.

Revocation Check

Detects if the DKIM key has been revoked (empty p= tag).

Best Practices

  • Use 2048-bit RSA keys for maximum security.
  • Rotate DKIM keys periodically (every 6-12 months).
  • Keep track of your DKIM selectors used by different email services.
  • Test DKIM after any DNS changes to verify signing still works.
  • Configure multiple selectors for different email sending services.
  • Pair DKIM with SPF and DMARC for complete email authentication.

Frequently Asked Questions

What is a DKIM selector?

A DKIM selector is a name that identifies a specific DKIM public key in DNS. Different email services use different selectors (e.g., Google uses 'google', Microsoft uses 'selector1').

How do I find my DKIM selector?

Check your email service provider's documentation, or look at the DKIM-Signature header in your sent emails for the 's=' tag value.

What does an empty p= tag mean?

An empty p= tag means the DKIM key has been revoked. This tells receiving servers that signatures from this selector should be considered invalid.