DKIM Record Checker

Look up and inspect a domain's DKIM record. Enter a domain and the selector, and this tool queries selector._domainkey live, parses the public key, and reports the key type, version and whether the key is valid or revoked. Don't know the selector? Leave it blank and the tool probes a list of common selectors and reports any it finds. DKIM is the cryptographic signature that proves your email was not tampered with in transit.

Leave the selector blank to probe common selectors (google, selector1, k1, …). Runs in your browser over DNS-over-HTTPS. Nothing is stored.

How to use the DKIM Record Checker

Enter the domain. If you know your DKIM selector, put it in the second box and press Check DKIM. The tool reports:

  • Whether a DKIM key is published at selector._domainkey.domain, or whether it is revoked (an empty p=).
  • The key type (RSA or Ed25519), version, and a rough RSA key size.
  • The public key itself, with a copy button.

If you do not know your selector, leave the box blank and the tool probes a dozen common selectors (google, selector1, selector2, k1, default and more) and reports any that exist. The surest way to find your real selector is the s= tag in the DKIM-Signature header of an email you actually sent.

What DKIM is and how selectors work

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email so receivers can verify two things: that the message really came from your domain, and that it was not altered in transit. Your mail server signs each message with a private key; the matching public key is published in DNS so any receiver can check the signature. If the signature verifies, the message passes DKIM.

The public key lives in a TXT record at a special name built from a selector:

selector._domainkey.example.com

The selector is just a label that lets a domain publish more than one key at once — for different sending services, or for rotating keys over time. Each email's DKIM-Signature header carries the selector it used (the s= tag) and the domain (d=), so the receiver knows exactly which DNS record to fetch. Selectors are provider-specific and not discoverable from DNS alone: Google Workspace uses google, Microsoft 365 uses selector1 and selector2, and email platforms like Mailchimp, SendGrid or Postmark each have their own. That is why this tool either takes the selector you provide or probes the common ones.

The record itself is a set of tag=value pairs. The important ones are v (version, DKIM1), k (key type, usually rsa, increasingly ed25519), and p (the base64 public key). A few details to watch: an empty p= means the key has been revoked; a t=y flag means the domain is in DKIM test mode so failures are not enforced; and RSA keys should be at least 1024-bit, ideally 2048-bit — shorter keys are deprecated. DKIM is one of the three pillars of email authentication, working alongside SPF (which authorises sending servers) and DMARC (which ties them together and sets policy).

Common use cases

  • Verifying DKIM setup — confirm a newly published key resolves at the right selector and parses correctly.
  • Finding your selector — probe common selectors when you are not sure which one your provider uses.
  • Checking key strength — see whether an RSA key is a healthy 2048-bit or a weak, deprecated length.
  • Spotting a revoked key — catch an empty p= on a selector that is still meant to sign mail.
  • Migrating email providers — confirm the new provider's DKIM key is live before cutting over.

How to find your DKIM selector

Because selectors are not listed anywhere in DNS, you have to learn yours from a message or your provider. The reliable ways:

  • Read a sent email's headers. Open the raw source / "show original" of a message you sent, find the DKIM-Signature line, and read the s= tag — that is the selector and d= is the signing domain.
  • Check your provider's docs. Common defaults: Google Workspace google; Microsoft 365 selector1 / selector2; Amazon SES uses long token selectors; Mailchimp k1; Postmark pm variants.
  • Probe here. Leave the selector blank and let this tool test the common ones for you.

Once DKIM checks out, make sure the other two pillars are healthy: the TXT lookup shows your SPF record, and the DMARC Record Checker shows the policy that ties SPF and DKIM together. To build a DKIM DNS record from a key, use the DKIM Record Generator.

Frequently asked questions

How do I check a DKIM record?
Enter the domain and its DKIM selector above and press Check DKIM. The tool queries selector._domainkey.domain, parses the public key, and reports the key type, version and whether it is valid or revoked. Leave the selector blank to probe common ones.

What is a DKIM selector and how do I find mine?
A selector is a label that names which DKIM key to use, so a domain can publish several. Find yours in the s= tag of the DKIM-Signature header of an email you sent, or from your provider's documentation. This tool can also probe common selectors.

What does an empty p= value mean?
An empty public key (p=) means the DKIM key has been revoked. That is normal for an old, rotated-out selector, but a problem if the selector is still being used to sign live mail, because signatures will fail to verify.

What key size should my DKIM key be?
For RSA, at least 1024-bit and preferably 2048-bit; 512-bit and other short keys are deprecated and may be rejected. Ed25519 keys are short by design and are a modern, strong alternative where supported.

Why is no DKIM record found for my domain?
Usually the selector is wrong, since selectors are provider-specific. Confirm the exact selector from a sent message's DKIM-Signature header. It is also valid to have no DKIM if the domain does not send email.

Does this store the domains I check?
No. The lookup runs in your browser directly against Google or Cloudflare DNS-over-HTTPS. Nothing is sent to our server and nothing is logged.