Skip to main content

DKIM Record Checker

DKIM keys live at <selector>._domainkey.<domain>. Enter a domain plus the selector your mail platform uses.

Common selectors to try: googleselector1selector2defaultk1k2s1s2mailemail

What this DKIM record checker does

This DKIM record checker looks up the public key a sender publishes at <selector>._domainkey.<domain>. It confirms the record is there, parses the key type and algorithm, checks the key length, and flags common problems like a test-mode flag or a revoked (empty) key.

Why it matters

DKIM signs your outbound mail with a private key; receivers verify the signature against this published public key. If the key is missing, too small, or revoked, the signature fails and the message loses one of the two ways it can pass DMARC. Because DKIM lives under a selector you choose, the record is easy to publish on the wrong name or forget entirely when you add a new sending platform.

How to read the result

A valid result means a key is published on that selector and parses cleanly. "No DKIM key published" usually means the selector name is wrong rather than that DKIM is broken, so try the common selectors listed on the form (each mail platform uses its own). The tags table shows the raw k=, p=, and flags, and the findings explain anything worth tightening.

Related

Frequently asked questions

How do I find my DKIM selector?

The selector is the label before ._domainkey in the record name, and each mail platform uses its own (google for Google Workspace, selector1 and selector2 for Microsoft 365, k1 for Mailchimp, and so on). Find it in the s= tag of the DKIM-Signature header of an email you sent, or check your provider's DKIM settings.

How do I check a DKIM record?

Enter your domain and the selector your mail platform uses, and this checker looks up the public key at selector._domainkey.yourdomain.com, parses the key type and length, and flags problems like test mode or a revoked key. Or query it directly: dig TXT selector._domainkey.yourdomain.com +short.

Why is my DKIM record not found?

Almost always the selector is wrong rather than DKIM being broken. Try the common selectors for your provider, confirm DKIM signing is actually enabled in the admin console, and remember the key lives under the selector you chose, not at the domain apex.

What DKIM key length should I use?

At least 2048-bit RSA, or Ed25519. RSA-1024 still works at every major receiver but RSA-2048 is the modern recommendation, so this checker flags an undersized key when it sees one and you can rotate it.


Want ongoing monitoring?

This tool is a one-shot check. PhishFence watches your domain with automated hourly monitoring (daily on Free) for DMARC changes, new lookalike registrations, and spoofing attempts.

Start free monitoring