Prevent authentication failures by checking your DKIM selectors, public keys, and delegations in seconds.
The DKIM Checker validates published DKIM public keys at selector._domainkey.yourdomain.com, checking key presence, algorithm, strength, and CNAME delegations.
DKIM cryptographically signs outbound mail so receivers can verify messages were not altered and originated from an authorized sender.
Auto-detect selectors from SPF, MX, and ESP signals, or specify selectors manually.
Verify public key exists, algorithm type, and minimum key length (2048-bit RSA recommended).
Detect when DKIM is delegated to an ESP via CNAME records.
Parsed v, k, p, and other DKIM tags with descriptions for each selector.
Provide your domain and optional comma-separated selectors, or enable auto-detect.
The tool queries selector._domainkey.yourdomain.com for TXT or CNAME records.
Checks public key presence, RSA/Ed25519 algorithm, bit length, and syntax.
Read status cards, tag tables, and issues for each probed selector.
Each selector represents a distinct signing key. Mail signed with a selector must have a matching valid public key published in DNS.
Public key is present, syntactically correct, and meets minimum strength requirements.
Record exists but has issues, missing p= tag, key under 2048 bits, or syntax errors.
No DKIM TXT record at this selector, mail signed with it will fail DKIM verification.
Selector points to an ESP-hosted record via CNAME, common for managed email services.
Valid, Invalid, or Not found for each probed selector.
Whether the p= tag contains a non-empty public key value.
RSA or Ed25519, from the k= tag or inferred from the key.
Bit length for RSA keys, 2048-bit minimum recommended; 1024-bit flagged as weak.
Parsed DKIM tags: v=DKIM1, k= (key type), p= (public key), t= (flags), etc.
1024-bit keys are deprecated. Generate new keys at 2048-bit or use Ed25519 where supported.
Let the tool probe common selectors before manually guessing, ESPs use varied naming.
Publish a new selector before retiring the old one to avoid verification gaps during key rotation.
DKIM must align with the From domain for DMARC to pass, verify signing domain matches.
A name that identifies a specific signing key. Published at selector._domainkey.yourdomain.com, e.g. google._domainkey.example.com.
It probes selectors inferred from your SPF includes, MX records, and known ESP delegation patterns.
RSA keys under 2048 bits no longer meet modern security standards. Regenerate with 2048-bit or Ed25519.
Your selector CNAME points to the ESP's DNS (e.g. selector.domainkey.esp.com) where the actual key is hosted.
Yes. Each active signing key needs its own selector. During rotation, both old and new selectors may be published.
No. DKIM proves the message was signed by a key you control, not that the content is safe or expected.
Publish an empty p= value (p=;) on the old selector to revoke it without deleting the DNS record immediately.
SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.