DKIM Record Checker
DKIM keys live at <selector>._domainkey.<domain>. Enter a domain plus the selector your mail platform uses.
What this DKIM record checker does
This DKIM record checker looks up the public key a sender publishes at <selector>._domainkey.<domain>. It confirms the record is there, parses the key type and algorithm, checks the key length, and flags common problems like a test-mode flag or a revoked (empty) key.
Why it matters
DKIM signs your outbound mail with a private key; receivers verify the signature against this published public key. If the key is missing, too small, or revoked, the signature fails and the message loses one of the two ways it can pass DMARC. Because DKIM lives under a selector you choose, the record is easy to publish on the wrong name or forget entirely when you add a new sending platform.
How to read the result
A valid result means a key is published on that selector and parses cleanly. "No DKIM key published" usually means the selector name is wrong rather than that DKIM is broken, so try the common selectors listed on the form (each mail platform uses its own). The tags table shows the raw k=, p=, and flags, and the findings explain anything worth tightening.
Related
- How DKIM works, the protocol primer behind this check.
- SPF vs DKIM vs DMARC, how DKIM fits alongside SPF and DMARC.
- DKIM Record Generator for the exact selector and record to publish per email provider.
- DMARC Record Checker to confirm DKIM and SPF feed the policy that protects your domain.
- Scan your domain to get your exact records plus guided setup, with DKIM checked alongside SPF, DMARC, and lookalike domains in one pass.
Frequently asked questions
How do I find my DKIM selector?▾
The selector is the label before ._domainkey in the record name, and each mail platform uses its own (google for Google Workspace, selector1 and selector2 for Microsoft 365, k1 for Mailchimp, and so on). Find it in the s= tag of the DKIM-Signature header of an email you sent, or check your provider's DKIM settings.
How do I check a DKIM record?▾
Enter your domain and the selector your mail platform uses, and this checker looks up the public key at selector._domainkey.yourdomain.com, parses the key type and length, and flags problems like test mode or a revoked key. Or query it directly: dig TXT selector._domainkey.yourdomain.com +short.
Why is my DKIM record not found?▾
Almost always the selector is wrong rather than DKIM being broken. Try the common selectors for your provider, confirm DKIM signing is actually enabled in the admin console, and remember the key lives under the selector you chose, not at the domain apex.
What DKIM key length should I use?▾
At least 2048-bit RSA, or Ed25519. RSA-1024 still works at every major receiver but RSA-2048 is the modern recommendation, so this checker flags an undersized key when it sees one and you can rotate it.
Want ongoing monitoring?
This tool is a one-shot check. PhishFence watches your domain with automated hourly monitoring (daily on Free) for DMARC changes, new lookalike registrations, and spoofing attempts.