DKIM tools

DKIM record checker

Prevent authentication failures by checking your DKIM selectors, public keys, and delegations in seconds.

Validate published DKIM public keys, key strength, and CNAME delegations before you send. Auto Detect probes selectors inferred from your SPF, MX, and ESP delegation signals.

About

The DKIM Checker validates published DKIM public keys at selector._domainkey.yourdomain.com, checking key presence, algorithm, strength, and CNAME delegations.

DKIM cryptographically signs outbound mail so receivers can verify messages were not altered and originated from an authorized sender.

Selector probing

Auto-detect selectors from SPF, MX, and ESP signals, or specify selectors manually.

Key validation

Verify public key exists, algorithm type, and minimum key length (2048-bit RSA recommended).

CNAME delegation

Detect when DKIM is delegated to an ESP via CNAME records.

Tag breakdown

Parsed v, k, p, and other DKIM tags with descriptions for each selector.

How to use this tool

Enter domain & selectors

Provide your domain and optional comma-separated selectors, or enable auto-detect.

Probe DNS records

The tool queries selector._domainkey.yourdomain.com for TXT or CNAME records.

Validate keys

Checks public key presence, RSA/Ed25519 algorithm, bit length, and syntax.

Review per-selector results

Read status cards, tag tables, and issues for each probed selector.

Understanding the results

Each selector represents a distinct signing key. Mail signed with a selector must have a matching valid public key published in DNS.

Valid

Public key is present, syntactically correct, and meets minimum strength requirements.

Invalid / weak key

Record exists but has issues, missing p= tag, key under 2048 bits, or syntax errors.

Not found

No DKIM TXT record at this selector, mail signed with it will fail DKIM verification.

CNAME delegation

Selector points to an ESP-hosted record via CNAME, common for managed email services.

Important result fields

Status

Valid, Invalid, or Not found for each probed selector.

Public key

Whether the p= tag contains a non-empty public key value.

Key algorithm

RSA or Ed25519, from the k= tag or inferred from the key.

Key length

Bit length for RSA keys, 2048-bit minimum recommended; 1024-bit flagged as weak.

Tags found

Parsed DKIM tags: v=DKIM1, k= (key type), p= (public key), t= (flags), etc.

Best practices & recommendations

Use 2048-bit RSA minimum

1024-bit keys are deprecated. Generate new keys at 2048-bit or use Ed25519 where supported.

Enable auto-detect first

Let the tool probe common selectors before manually guessing, ESPs use varied naming.

Rotate with dual selectors

Publish a new selector before retiring the old one to avoid verification gaps during key rotation.

Align with DMARC

DKIM must align with the From domain for DMARC to pass, verify signing domain matches.

Frequently asked questions

A name that identifies a specific signing key. Published at selector._domainkey.yourdomain.com, e.g. google._domainkey.example.com.

It probes selectors inferred from your SPF includes, MX records, and known ESP delegation patterns.

RSA keys under 2048 bits no longer meet modern security standards. Regenerate with 2048-bit or Ed25519.

Your selector CNAME points to the ESP's DNS (e.g. selector.domainkey.esp.com) where the actual key is hosted.

Yes. Each active signing key needs its own selector. During rotation, both old and new selectors may be published.

No. DKIM proves the message was signed by a key you control, not that the content is safe or expected.

Publish an empty p= value (p=;) on the old selector to revoke it without deleting the DNS record immediately.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools