DKIM Record Checker — Validate Your DKIM Key

Check if your domain has valid DKIM records. Scans common selectors, validates public key strength, flags weak keys.

DKIM Record Checker

Enter your domain to scan for DKIM records. Leave the selector blank to auto-scan 13 common selectors, or enter your specific selector.

Leave selector blank and we'll scan common ones (default, google, selector1, selector2, s1, s2, k1, mail, dkim, mandrill, mailgun, sm, sendgrid). Or enter your specific selector — it's the prefix before ._domainkey. in your DNS.

What Is DKIM (DomainKeys Identified Mail)?

DKIM is an email authentication method that adds a cryptographic signature to every message you send. The signature is created using a private key that only your mail server has. Recipients verify the signature using a public key published in your DNS.

If the signature verifies successfully, the receiving server knows two things: the message genuinely came from an authorised sender for your domain, and the message content was not altered during transit. This is something SPF cannot provide — SPF checks the sending IP, not the message itself.

How DKIM Signing Works

  1. Your sending server generates a hash of select email headers and the message body
  2. The hash is encrypted with your domain's private key to create a DKIM signature
  3. The signature is added as a DKIM-Signature header on the outgoing message
  4. The receiving server extracts the selector (s=) and domain (d=) from the header
  5. It looks up the public key at selector._domainkey.domain.com via DNS
  6. It decrypts the signature with the public key and compares hashes — match means pass

DKIM Record Format

A DKIM record is a TXT record at selector._domainkey.yourdomain.com. A typical record looks like:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...
TagPurpose
v=DKIM1Version — must be DKIM1
k=rsaKey type — rsa is standard, ed25519 is emerging
p=...Public key — base64-encoded
t=yTest mode — signing is being tested (remove once confirmed)

Why DKIM Is Critical for Email Deliverability

Message Integrity

DKIM is the only standard email authentication method that proves a message was not tampered with in transit. SPF checks the sending server's IP address, but says nothing about the message content. DKIM's cryptographic signature covers both headers and body — if anything changes after signing, the signature breaks.

Domain Reputation

ISPs like Gmail and Outlook build sender reputation at the domain level, not just the IP level. DKIM signing ties every message to your domain identity. Over time, consistent DKIM-signed sending with low complaint rates builds a domain reputation that follows you even if you change email providers or IP addresses.

DKIM and DMARC Alignment

DKIM is one of two mechanisms DMARC checks for alignment. For DKIM alignment, the d= domain in the DKIM signature must match the From header domain. This is especially important for forwarded messages — SPF breaks on forwarding, but DKIM survives because the signature travels with the message.

Common DKIM Issues and How to Fix Them

Weak Key Size (1024-bit or Shorter)

Keys shorter than 2048 bits are considered cryptographically weak. RFC 8301 recommends 2048-bit minimum. Some older email provider setups still use 1024-bit keys. Fix: generate a new 2048-bit keypair with your provider and update the DNS record. Our checker flags keys estimated at 1024 bits or less.

Selector Not Found in DNS

The DKIM record must be published at exactly the right DNS location: selector._domainkey.yourdomain.com. A typo in the selector name, a missing DNS record, or DNS propagation delay all cause lookup failures. Fix: verify the selector name with your email provider, double-check the DNS hostname, and wait 1-4 hours after adding the record.

DKIM Signature Broken by Email Forwarding

Some forwarding services modify message headers or body content (adding footers, rewriting links), which invalidates the DKIM signature. This is a known limitation of DKIM. Fix: this is generally a recipient-side issue. If you control the forwarding, configure it to preserve original message content. ARC (Authenticated Received Chain) is an emerging standard that helps with this.

Missing DKIM for Third-Party Senders

Each service that sends email from your domain needs its own DKIM signing. Your marketing platform, transactional email provider, CRM and helpdesk should each have DKIM configured with their own selector. Fix: audit every sending service and enable DKIM signing for each one. Each will have its own selector and DNS record.

How NexusProMail Handles DKIM

  • Automatic DKIM signing on all outbound email — marketing and transactional
  • 2048-bit RSA keys by default
  • Per-brand DKIM keys for multi-tenant and dealer setups
  • Custom DKIM via CNAME delegation — publish one CNAME, we handle key rotation
Send DKIM-signed email from day one →

Complete Your Email Authentication

SPF Record Checker
Verify your SPF record and lookup limit
DMARC Record Checker
Check your DMARC policy strength
Email Authentication Guide
Complete guide to SPF, DKIM & DMARC

DKIM Record FAQ

What is a DKIM record?

A DKIM record is a DNS TXT record that publishes the public key used to verify DKIM signatures on your outgoing email. It lives at selector._domainkey.yourdomain.com, where "selector" is a label chosen by your email provider (e.g. "google" for Google Workspace, "selector1" for Microsoft 365).

How do I find my DKIM selector?

Check with your email provider — they assign the selector when you set up DKIM. You can also find it by sending yourself an email and looking at the DKIM-Signature header: the "s=" value is your selector. Our checker scans 13 common selectors automatically if you leave the field blank.

What key size should I use for DKIM?

Use 2048-bit RSA keys. RFC 8301 recommends at least 2048 bits, and most modern email providers default to this. 1024-bit keys still technically work but are considered cryptographically weak and may be flagged by security-conscious receivers.

Does DKIM prevent email spoofing?

DKIM alone does not prevent spoofing — it proves that a specific message was signed by the domain's key and was not altered in transit. An attacker cannot forge a valid DKIM signature without access to your private key. Combined with DMARC alignment, DKIM provides strong anti-spoofing protection.

What happens if DKIM fails?

If a DKIM signature fails verification, the message loses that authentication signal. Without DMARC, the receiving server decides what to do (usually treats it as suspicious). With DMARC, the server applies your published policy — none (monitor), quarantine (spam folder) or reject (bounce).

Can I have multiple DKIM selectors?

Yes. Multiple selectors are common and recommended. Different email services (marketing platform, transactional provider, CRM) each use their own selector. You can also rotate keys by publishing a new selector before retiring the old one, ensuring continuous signing during the transition.