DKIM Record Checker
Verify DKIM key configuration for any domain and selector. Check key type, size, and validity.
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic digital signature to outgoing emails, allowing receiving mail servers to verify the message was sent by an authorized sender and wasn't altered in transit.
DKIM works using a public/private key pair. The sending mail server holds a private key and uses it to generate a signature for each outgoing email. This signature is added as a DKIM-Signature header in the message. The corresponding public key is published in DNS as a TXT record at a specific location determined by the DKIM selector, for example: selector._domainkey.example.com.
When a receiving server gets an email with a DKIM signature, it extracts the selector (the s= tag) and the signing domain (the d= tag) from the header, looks up the public key in DNS, and uses it to verify the signature. If the signature is valid, the email passes DKIM authentication — confirming it was authorized by the domain owner and was not modified after signing.
DKIM selectors allow a single domain to use multiple signing keys. This is useful when different services (e.g., Google Workspace, Mailchimp, a transactional email provider) each send email on behalf of the same domain. Each service uses its own selector and key pair, so keys can be managed and rotated independently.
What does this tool check?
The DKIM Record Checker queries DNS for the DKIM public key at the selector you specify and validates the result. Specifically, it checks:
- DKIM record presence — Whether a DKIM TXT record exists for the specified selector at
selector._domainkey.domain - Key record validity — Whether the record contains a valid public key, correct version tag (v=DKIM1), and properly formatted key data (p= tag)
- Key type and parameters — The key type (RSA or Ed25519) and any flags or service type restrictions specified in the record
- Selector configuration — Whether the selector is correctly configured and resolvable, identifying issues like empty key fields (revoked keys) or DNS resolution failures
Common DKIM Selectors
Different email providers use different default DKIM selectors. Here are the most common ones to help you get started:
| Selector | Provider |
|---|---|
google | Google Workspace (Gmail) |
selector1 / selector2 | Microsoft 365 (Outlook/Exchange Online) |
k1 | Mailchimp |
s1 / s2 | Various providers (Amazon SES, generic configurations) |
default | Common default selector for many mail servers and hosting providers |
If you're unsure which selector your domain uses, check the DKIM-Signature header in a recent email or consult your email provider's documentation.
Frequently Asked Questions
What is a DKIM selector?
A DKIM selector is a string used to locate a specific DKIM public key in DNS. When a mail server signs an outgoing email, it includes the selector in the DKIM-Signature header (the s= tag). The receiving server uses the selector to query DNS for the public key at selector._domainkey.domain. Different selectors allow a domain to publish multiple DKIM keys, one for each sending service or mail system.
How do I find my DKIM selector?
To find your DKIM selector, open a recent email from your domain and view the full message headers. Look for the DKIM-Signature header and find the s= tag — that value is your selector. For example, s=googlemeans the selector is "google". Alternatively, check your email provider's documentation: Google Workspace uses "google", Microsoft 365 uses "selector1" and "selector2", and Mailchimp uses "k1".
What is DKIM alignment?
DKIM alignment means the domain in the DKIM signature (the d=tag) matches the domain in the From header of the email. DMARC requires either SPF or DKIM alignment to pass. Alignment can be "strict" (exact domain match) or "relaxed" (organizational domain match, allowing subdomains). Relaxed alignment is the default and is sufficient for most configurations.
How often should DKIM keys be rotated?
Security best practices recommend rotating DKIM keys every 6 to 12 months. Regular rotation limits the window of exposure if a private key is compromised. To rotate without downtime, publish the new key with a new selector, update your mail server to sign with the new key, verify emails are passing DKIM checks with the new selector, and then remove the old key from DNS after a transition period.
Can I have multiple DKIM selectors?
Yes, a domain can have as many DKIM selectors as needed. Each selector points to a different public key in DNS. This is common when multiple services send email on behalf of your domain — for example, Google Workspace might use "google", Mailchimp might use "k1", and a transactional email service might use its own selector. Each service signs with its own private key and corresponding selector.