DKIM Record Checker.
A DKIM record checker verifies that your domain's DomainKeys Identified Mail configuration is correctly set up so receiving servers can confirm your emails are authentic and unaltered. Enter any domain and this free tool automatically scans 13 common selectors used by Google Workspace, Microsoft 365, Mailchimp, SendGrid, and other providers, or look up a specific selector you provide. It validates the public key, reports key type and bit strength, detects test mode that weakens authentication, and gives actionable recommendations. Proper DKIM alongside SPF and DMARC is essential for inbox placement.
Enter your email to receive a copy of your results and share them with your team.
How to Use This Tool
Auto-Scan Mode
Enter your domain name and leave the selector field blank. The tool will automatically scan 13 common DKIM selectors used by major email providers including Google, Microsoft 365, Mailchimp, SendGrid, and others.
Targeted Lookup
If you know your DKIM selector, enter it in the selector field for a focused lookup. Click the selector field to see suggestions for common email provider selectors. The tool queries the specific selector._domainkey.domain DNS record directly.
How DKIM Authentication Works
Signing
Your mail server generates a cryptographic hash of the email body and selected headers, then signs it with the private key associated with the DKIM selector.
Header Added
A DKIM-Signature header is added to the outgoing email containing the selector name, signing domain, algorithm used, and the digital signature itself.
DNS Lookup
The receiving server extracts the selector and domain from the DKIM-Signature header, then queries DNS for the public key at selector._domainkey.domain.
Verification
The receiving server uses the public key to verify the digital signature. If it matches, the email passes DKIM authentication, confirming its authenticity and integrity.
Frequently Asked Questions
What is a DKIM record and why do I need one?
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to outgoing messages. A DKIM DNS record publishes the public key that receiving servers use to verify these signatures. Without DKIM, your emails are more likely to be flagged as spam or rejected, because recipients cannot verify that messages actually came from your domain and were not modified in transit.
How do I find my DKIM selector?
Your DKIM selector is set by your email provider during setup. Common selectors include "google" for Google Workspace, "selector1" and "selector2" for Microsoft 365, "k1" for Mailchimp/Mandrill, and "s1"/"s2" for SendGrid. You can also find it by examining the DKIM-Signature header in any email sent from your domain - the "s=" tag contains the selector name. Our tool auto-scans 13 common selectors if you do not know yours.
What key size should I use for DKIM?
Use a minimum of 2048-bit RSA keys for DKIM signing. 1024-bit keys are considered weak and could potentially be compromised. Many providers now default to 2048-bit keys, and some support 4096-bit for extra security. Ed25519 keys are also supported by some providers and offer equivalent security with shorter key lengths. Our checker reports the detected key type and size for each selector.
What does DKIM test mode (t=y) mean?
The t=y flag in a DKIM record indicates test mode. When set, receiving servers are advised to treat DKIM verification failures as if the domain had no DKIM record at all, rather than penalizing the message. This is useful during initial DKIM setup to verify that signing works correctly before enforcing it. Once you confirm DKIM is working properly, remove the t=y flag to get full authentication benefits.
Can I have multiple DKIM selectors on one domain?
Yes, and it is recommended. Multiple DKIM selectors allow you to use different keys for different email services (e.g., one for Google Workspace and another for your marketing platform). They also enable key rotation without downtime - you publish a new key under a new selector, switch your signing to use the new selector, and then remove the old one. Each selector is a separate DNS record at selector._domainkey.yourdomain.com.
Related DNS Tools
SPF Record Generator & Validator
Generate and validate SPF records for your domain to improve email deliverability and prevent spoofing.
Use Tool → Email InfrastructureDMARC Record Generator & Checker
Build and validate DMARC policies to protect your domain from email spoofing and phishing attacks.
Use Tool → Email InfrastructureDomain Health Checker
Run a comprehensive health scan combining SPF, DKIM, DMARC, MX, and blacklist checks in one report.
Use Tool → Email InfrastructureMX Record Lookup
Look up MX records for any domain to see which mail servers handle its email delivery.
Use Tool →We Build Enterprise Email Infrastructure
Our Email Infrastructure Setup service handles SPF, DKIM, DMARC, and full email authentication setup. Starting at $5K for complete DNS authentication and deliverability optimization.
Learn About Email Infrastructure SetupLearn More
How to Build Cold Email Infrastructure That Scales
Domain procurement, DNS configuration including DKIM setup, and sending architecture for high-volume outbound.
Cold Email Deliverability: Why Emails Land in Spam
Diagnose the five root causes of deliverability failures including DKIM misconfiguration, with concrete fixes.
Domain Warming Strategy: The Complete 2026 Guide
Day-by-day volume ramp schedules and DNS authentication requirements before warming begins.