How It Works
Verify your DKIM configuration in four simple steps
Enter Domain
Type in your parent root website domain name (e.g. microsoft.com).
Specify Selector
Provide the active DKIM selector name (e.g. s1, google, default) found in headers.
Query DNS TXT
We query TXT records at the subdomain path: selector._domainkey.domain.
Security Diagnostics
We check the public key Base64 structure, verify key format, and evaluate RSA key length.
Verify Your Domain's DKIM Public Key
Enter your domain and the specific selector to locate the cryptographic public key records.
Why Use Our DKIM Record Checker?
The professional and secure way to verify that your DomainKeys Identified Mail signatures parse correctly.
Base64 Key Integrity Audits
We analyze the structure of your Base64 encoded public key signature string, checking for layout corruption, formatting issues, or syntax errors.
Public Key Size Evaluation
We automatically detect your RSA key bit size, ensuring your signature matches modern security requirements (recommending 2048-bit keys).
Interactive Tag Breakdown
We parse the raw string into understandable tag segments, explaining the version (v), key type (k), hash protocols (h), and public key (p).
Trusted by Security Admins & SEOs
See how email professionals audit signature records
"Finding DKIM errors used to involve copy-pasting DNS strings into openssl commands. This tool queries the selector and verifies key formats instantly. Absolutely stellar."
Marcus Aurel
Sysadmin & Cybersecurity Consultant
"I use this checker during all of my client onboarding audits. It highlights if their mail provider keys are still using old 1024-bit security which triggers spam filters in Gmail."
Laura Green
SEO Consultant
"The interface is beautiful and the parsed tags table layout is very clear. It correctly flag revoked keys with empty p= values."
Steve Rogers
Email Architect
Latest Articles & Guides
Expert tips to master DKIM authentication and security keys
What is DKIM? A Complete Guide to Email Signatures
Learn how DomainKeys Identified Mail (DKIM) attaches cryptographic signatures to email headers to verify origin and prevent email tampering.
Understanding DKIM Selectors: How to Choose & Find Them
What is a DKIM selector? Learn how domains use multiple selectors to segment sending tools, and discover how to locate your active selectors.
RSA Key Length for DKIM: 1024 vs 2048 Bit Security
A security breakdown of why 2048-bit keys are the industry standard for DKIM, and why 1024-bit keys are slowly being phased out.
How to Rotate DKIM Keys Without Dropping Outbound Emails
Step-by-step guide to executing a zero-downtime DKIM key rotation using dual-signing or DNS staging, ensuring your email deliverability remains flawless.
Frequently Asked Questions
DomainKeys Identified Mail (DKIM) is an email authentication method that adds a cryptographic digital signature to emails. The DKIM record is a public key published in your domain's DNS zones, which receiving servers query to verify that the message indeed came from your domain and wasn't altered.
A DKIM selector is a specific string key identifier defined in your email signature headers (e.g. s=google or s=s1). It dictates the subdomain lookup path where the corresponding public key is stored in your DNS (selector._domainkey.domain).
Send an email from your domain to an inbox you control. Open the email, select 'View raw headers' or 'Show original', and search for 'DKIM-Signature'. Within that header block, look for the 's=' attribute. The value after the equals sign is your selector.
Modern standards recommend 2048-bit RSA keys. Although 1024-bit keys remain supported, they are increasingly vulnerable to mathematical factoring attacks. Avoid using keys shorter than 1024 bits.
Yes. In fact, using different selectors is best practice if you send emails from different mail applications (e.g. Google Workspace, Mailchimp, and SendGrid). Each sender service will use its own selector key to avoid authentication conflicts.