DKIM Record Checker

Look up and validate DKIM (DomainKeys Identified Mail) records for any domain. Enter a domain name and DKIM selector to retrieve the public key and verify your email signing configuration.

DKIM Selector Domain Name

Common selectors: google (Google Workspace), selector1/selector2 (Microsoft 365), s1/s2 (various), default

What Is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that uses public-key cryptography to verify that an email message was sent by an authorized server and hasn't been modified in transit. The sending server adds a digital signature to each outgoing message header, and receiving servers verify this signature by looking up the public key in the sender's DNS records.

Unlike SPF which validates the sending server's IP address, DKIM validates the message content itself. This makes DKIM resilient to email forwarding — a major advantage in modern email infrastructure. Together with SPF and DMARC, DKIM forms the foundation of email authentication.

How DKIM Signing Works

The DKIM signing and verification process involves several steps between the sending and receiving mail servers:

Key generation — The domain owner generates a public/private key pair. The private key stays on the mail server; the public key is published in DNS.
Message signing — When an email is sent, the mail server creates a hash of specified headers and the message body, then encrypts it with the private key.
Header addition — The encrypted hash (signature) is added to the email as a DKIM-Signature header.
DNS lookup — The receiving server extracts the selector and domain from the DKIM-Signature header and queries DNS for the public key.
Verification — The receiving server decrypts the signature using the public key and compares it to a locally computed hash of the message.

DKIM Header Tag	Description	Example
v	Version (always 1)	v=1
a	Signing algorithm	a=rsa-sha256
d	Signing domain	d=example.com
s	Selector	s=google
h	Signed headers list	h=from:to:subject:date
b	Signature data (Base64)	b=dGVzdC4uLg==
bh	Body hash (Base64)	bh=MTIzNDU2...
c	Canonicalization method	c=relaxed/relaxed

Pro Tip: Use 2048-bit RSA keys for DKIM signing. Older 1024-bit keys are still common but are increasingly vulnerable to brute-force attacks. Some DNS providers have a 255-character TXT record limit, which requires splitting the 2048-bit key across multiple strings within a single TXT record. Check your DNS configuration to verify the record is published correctly.

Common DKIM Selectors by Provider

Each email provider uses specific selector names. Knowing the right selector is essential for looking up DKIM records:

Email Provider	Selector(s)	DNS Lookup Name
Google Workspace	google	google._domainkey.example.com
Microsoft 365	selector1, selector2	selector1._domainkey.example.com
Mailchimp	k1	k1._domainkey.example.com
SendGrid	s1, s2	s1._domainkey.example.com
Amazon SES	varies (CNAME-based)	Check SES console for exact value
Zoho	zoho, default	zoho._domainkey.example.com
ProtonMail	protonmail, protonmail2	protonmail._domainkey.example.com

Finding Your DKIM Selector

If you don't know your DKIM selector, you can find it in the headers of any email sent from your domain:

Gmail

1. Open the email in Gmail
2. Click the three dots (...) → "Show original"
3. Search for "DKIM-Signature:"
4. Find the "s=" tag — that's your selector

Command Line (Outlook/Thunderbird headers)

# Look for the s= value in the DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google;
                h=from:to:subject:date;
                b=abc123...

In this example, the selector is google. You would look up google._domainkey.example.com to find the public key. If you need help with DNS queries, our DNS Lookup tool can retrieve any record type, and you can learn more about how resolvers work in our What Is DNS guide.

Note: DKIM selectors are case-insensitive in DNS but are typically lowercase. If a DKIM check fails, verify you're using the exact selector from the email header. Some providers rotate selectors periodically, so the selector in older emails may no longer have an active DNS record. You can check your overall DNS health using our lookup tool.

DKIM Key Management Best Practices

Proper key management is critical for maintaining DKIM security:

Use 2048-bit keys — 1024-bit keys are crackable with significant computational resources. 2048-bit is the current minimum recommendation.
Rotate keys regularly — Change DKIM keys every 6-12 months. Use two selectors to allow seamless rotation without downtime.
Protect private keys — The private key should be stored securely on the mail server with restricted file permissions. Never expose it through open ports or unsecured services.
Monitor verification rates — Track DKIM pass rates through DMARC reports to detect key issues early.
Revoke old keys — When rotating, publish an empty p= tag for old selectors to explicitly revoke them.

If you're securing your network infrastructure beyond email, check our guide on how to secure your home WiFi network and learn about DNS over HTTPS on routers for encrypted DNS queries.

Troubleshooting DKIM Failures

When DKIM verification fails, the issue usually falls into one of these categories:

Wrong selector — The most common issue. Verify the exact selector from email headers.
DNS propagation delay — New DKIM records take time to propagate. If you just added the record, wait and check again. If your DNS server isn't responding, the lookup will fail.
Message modification — Mailing lists, forwarding services, or security appliances may alter message headers or body, breaking the DKIM signature.
Key mismatch — The public key in DNS doesn't match the private key used for signing. Regenerate and republish both keys.
TXT record formatting — Long DKIM keys may be incorrectly split across TXT record strings. Each string must be enclosed in quotes and concatenated without spaces.

Key Takeaways

DKIM uses public-key cryptography to sign email messages and verify they haven't been altered in transit.
The DKIM selector + domain combination determines where the public key is stored in DNS.
Use 2048-bit RSA keys and rotate them every 6-12 months for security.
DKIM survives email forwarding, unlike SPF which checks sending server IP.
Combine DKIM with SPF and DMARC for complete email authentication.
Check email headers to find the correct DKIM selector for any domain.

Video: DKIM Explained

Related Tools and Guides

Frequently Asked Questions

What is a DKIM selector?

A DKIM selector is a string that identifies which DKIM key pair to use. It's published as part of the DNS record name: selector._domainkey.domain.com. A domain can have multiple selectors for different services or key rotation.

How do I find my DKIM selector?

Open any email sent from your domain, view the full message headers, and look for the DKIM-Signature header. The s= tag contains the selector name. For example, s=google means the selector is "google".

Can a domain have multiple DKIM records?

Yes. Each DKIM record uses a unique selector, so a domain can have multiple DKIM keys for different email services. For example, one selector for Google Workspace and another for a transactional email service like SendGrid.

What happens if DKIM verification fails?

A DKIM failure alone usually doesn't cause rejection. However, combined with SPF failure and a strict DMARC policy, it can result in email being rejected or sent to spam. DMARC requires either SPF or DKIM to pass.

Is DKIM enough to prevent email spoofing?

No. DKIM alone only verifies that a message was signed by the claimed domain. Without DMARC, an attacker can still spoof the visible "From" address while using a different signing domain. You need all three — SPF, DKIM, and DMARC — for comprehensive protection.

How often should I rotate DKIM keys?

Rotate DKIM keys every 6-12 months. Use two selectors to enable zero-downtime rotation: publish the new key under a new selector, update the mail server to use it, verify it works, then revoke the old key by setting an empty p= value.

Why is my DKIM record showing an empty public key?

An empty p= tag means the key has been revoked. This is the correct way to decommission an old DKIM key. If the key should be active, regenerate the key pair and republish the public key in DNS.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.