DKIM Record Checker

What Is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows the sender to digitally sign outgoing emails using cryptographic keys. The receiving mail server verifies the signature by looking up the sender's public key in DNS, confirming that the email genuinely came from the claimed domain and hasn't been altered during transit.

Unlike SPF, which only verifies the sending server's IP address, DKIM verifies the content of the email itself. This means DKIM protection survives email forwarding — a significant advantage since forwarded emails often fail SPF checks because the forwarding server's IP isn't in the original sender's SPF record.

How DKIM Works

DKIM uses public-key cryptography to sign and verify emails. Here's the process:

1. Signing: When your mail server sends an email, it creates a hash of specific email headers and the body, then encrypts that hash with your private DKIM key. This encrypted hash (the signature) is added to the email as a DKIM-Signature header.
2. DNS Lookup: The signature header includes a d= (domain) and s= (selector) tag. The receiving server combines these to look up [selector]._domainkey.[domain] in DNS to retrieve the public key.
3. Verification: The receiver decrypts the signature using the public key, computes its own hash of the email, and compares the two. If they match, the email passes DKIM verification.

Understanding DKIM Selectors

A DKIM selector is a string that identifies which public key to use for verification. It's part of the DNS lookup name: [selector]._domainkey.[domain]. Selectors serve several purposes:

• Multiple services: Different email services use different selectors. Google Workspace uses “google”, Microsoft 365 uses “selector1” and “selector2”, Mailchimp uses “k1”.
• Key rotation: When rotating DKIM keys, you publish the new key under a new selector while keeping the old one active during the transition period.
• Delegation: You can give different selectors to different departments or third-party senders, each with their own key pair.

DKIM Key Length and Security

The security of DKIM depends heavily on the key length:

• 512-bit: Trivially crackable. Never use.
• 768-bit: Weak and vulnerable. Should be upgraded immediately.
• 1024-bit: Currently acceptable but increasingly risky as computing power grows. Plan to upgrade.
• 2048-bit: Recommended standard. Provides strong security against brute-force attacks.
• 4096-bit: Maximum security, but may require splitting the DNS TXT record into multiple strings due to the 255-character per-string limit.

Our DKIM checker estimates key length from the base64-encoded public key data and provides a security assessment for each selector found.

Setting Up DKIM for Common Email Providers

Google Workspace

In the Google Admin console, go to Apps → Google Workspace → Gmail → Authenticate Email. Select your domain, generate a new DKIM key (choose 2048-bit), and add the provided TXT record to your DNS at google._domainkey.yourdomain.com. After DNS propagation, click “Start Authentication.”

Microsoft 365

Microsoft 365 automatically generates two DKIM selectors: selector1 and selector2. In the Microsoft Defender portal, go to Email & Collaboration → Policies → DKIM. Add the required CNAME records pointing to Microsoft's DKIM infrastructure, then enable DKIM signing for your domain.

Third-Party Email Services

Services like SendGrid, Mailchimp, Postmark, and Amazon SES each provide their own DKIM setup instructions with specific selectors and DNS records. Check your provider's documentation for exact setup steps, then verify with our DKIM checker tool.

DKIM, SPF, and DMARC — Complete Email Security

DKIM is one part of a three-layer email authentication system:

• SPF — Verifies the sending server's IP address is authorized
• DKIM — Verifies the email content hasn't been tampered with (you're checking this now)
• DMARC — Ties SPF and DKIM together and defines the policy for failed checks

For best email deliverability and protection against spoofing, configure all three. Use our SPF checker and DMARC checker to validate your complete setup.

Frequently Asked Questions About DKIM

What is a DKIM record?

A DKIM record is a DNS TXT record that contains the public key used to verify DKIM email signatures. It's published at [selector]._domainkey.[domain] and allows receiving servers to confirm that emails genuinely came from your domain.

How do I find my DKIM selector?

Check the DKIM-Signature header in any email sent from your domain — the s= tag contains your selector. Common selectors: “google” (Google Workspace), “selector1”/“selector2” (Microsoft 365), “k1” (Mailchimp). Our tool auto-tries 16 common selectors.

What key length should I use?

Use 2048-bit RSA keys at minimum. 1024-bit keys are still acceptable but should be upgraded. Keys shorter than 1024 bits are vulnerable to cracking. Some providers support ed25519 keys for better performance.

What does testing mode (t=y) mean?

The t=y flag signals that DKIM is in testing mode and failed signatures shouldn't be treated as definitive. Remove this flag once you've verified DKIM signing works correctly.

Can I have multiple DKIM records?

Yes — each DKIM record uses a unique selector, so multiple records don't conflict. This is common when using multiple email services or during key rotation.

How do I rotate DKIM keys?

Generate a new key with a new selector, publish it in DNS, wait for propagation, switch your mail server to use the new selector, keep the old record for 1-2 weeks, then remove it.

How does DKIM relate to SPF and DMARC?

SPF verifies the sending server's IP. DKIM verifies email content integrity. DMARC ties them together with a policy for handling failures. Configure all three for comprehensive email security.

Why is my DKIM check failing?

Common causes: missing or incorrect DNS record, wrong selector, email modified in transit (by mailing lists or forwarding), key mismatch between signing server and DNS record, or DNS propagation delay after setup.