Get a FREE .NL, .BE, .EU, or .COM domain with any hosting package! Claim your free domain!
TheHostMasters
Navigation
Hosting Plans
Domain Registration
Blog
Free Tools
About Us
Services
Services
Free Domain Offer
Get a free .NL, .BE, .EU, or .COM with any hosting plan.
Claim now
Contact & Support
Get Started Today
NLEN
Free DKIM Checker

DKIM Record Checker

Check your DKIM configuration instantly. Verify DKIM records, selectors, public keys, key types, versions and flags to ensure proper email authentication.

DKIM RecordSelectorPublic KeyKey TypeVersionFlagsHash Algorithms

Essential for preventing email spoofing, improving inbox placement and ensuring your domain's email authentication is correctly configured.

Validate DKIM Record

Check the raw DKIM TXT record and verify its structure.

Verify Selector

Confirm the selector matches your email provider configuration.

Inspect Public Key

View the full RSA public key and verify it is properly published.

Check Key Type & Version

Verify DKIM version and cryptographic key type (e.g., RSA).

What can you check with this DKIM tool?

This DKIM checker helps you validate how your domain signs outgoing emails. It looks up the DKIM record at [selector]._domainkey.[domain] and displays the complete DNS configuration.

DKIM (DomainKeys Identified Mail) is a core email authentication standard used alongside SPF and DMARC. A missing, broken or misconfigured DKIM setup can result in spam filtering, rejection, or domain spoofing vulnerabilities. This tool helps you quickly diagnose and fix your DKIM configuration.

DKIM details you can inspect

Raw Record

Displays the full DKIM TXT record exactly as published in DNS, including the complete tag-value syntax.

Version (v)

Shows the DKIM version tag. Should always be DKIM1 for current DKIM implementations.

Key Type (k)

Specifies the cryptographic algorithm used for the public key, typically rsa for RSA encryption.

Public Key (p)

The actual RSA public key in base64 format that receiving servers use to verify DKIM signatures.

When should you use a DKIM checker?

  • After configuring email sending services
  • When emails are marked as spam
  • After DNS or email provider changes
  • During SPF/DKIM/DMARC setup
  • When troubleshooting email delivery issues
  • To verify your DKIM public key is correct
  • When rotating or updating DKIM keys

Frequently Asked Questions

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorized server and was not modified in transit. The sending server adds a digital signature to the email header, and receiving servers validate this signature by looking up the public key in your DNS.

DKIM improves email deliverability by allowing receiving servers to verify message authenticity and reduce spoofing and phishing attempts. It also helps build sender reputation and protects your domain from being used in email-based attacks. Many email providers (Gmail, Outlook, Yahoo) use DKIM as a key signal for inbox placement.

A selector is a name that identifies which DKIM key is used in DNS. It allows domains to have multiple DKIM keys active simultaneously, which is useful for key rotation and managing different email providers. The selector is included in the DKIM signature header of outgoing emails. Common selectors include default, google, selector1 (Microsoft 365), or date-based selectors like 20230601.

DKIM records use tag-value pairs. v=DKIM1 is the version tag. k=rsa specifies the key type (RSA encryption). p= contains the actual public key in base64 format. t= (flags) can include y for testing mode. h= lists acceptable hash algorithms. s= specifies the service type. Each tag provides important configuration details for email receivers.

If DKIM fails, emails may still be delivered but are more likely to be marked as spam or rejected depending on your DMARC policy. With a strict DMARC policy (p=reject), failing DKIM can cause legitimate emails to be rejected entirely. A DKIM failure can occur due to missing DNS records, incorrect selectors, expired keys, or email content being modified after signing.

These are three complementary email authentication standards. SPF verifies that the sending server is authorised to send mail for the domain. DKIM adds a cryptographic signature to verify content integrity and authenticity. DMARC builds on both SPF and DKIM and lets you define a policy for how receiving servers should handle messages that fail authentication. All three should be configured together for strong email security.

DKIM alone is not enough to guarantee inbox delivery. Common reasons emails still land in spam despite having DKIM configured include: missing or misconfigured SPF, strict DMARC policies failing, poor sender reputation, low domain age, or the email content itself being flagged as suspicious. Use this checker to rule out DKIM issues first, then verify your SPF and DMARC configuration.

Enter your domain name and DKIM selector into the checker above. The tool will perform a DNS TXT lookup at [selector]._domainkey.[domain]. If the record exists, you'll see the raw DKIM record along with parsed tags including version, key type, and public key. You can also inspect email headers of a sent message for Authentication-Results: dkim=pass.

Your DKIM selector is provided by your email service provider. Common defaults include default, google (Google Workspace), selector1 or selector2 (Microsoft 365), or date-based selectors like 20230601. You can also find the selector by inspecting the DKIM signature header in a sent email - look for s= in the DKIM-Signature header.

Yes. Some email forwarding services modify the email content or headers, which can invalidate the DKIM signature. When this happens, the forwarded email may fail DKIM verification at the final destination. This is one reason why SPF and DMARC alignment can be challenging with forwarding scenarios. ASPF (Authenticated Received Chain) is being developed to help address this issue.

The standard key type for DKIM is rsa (RSA encryption). 2048-bit RSA keys are strongly recommended for strong security and are the current industry standard. 1024-bit keys are the minimum supported but are considered weaker. Some providers support ed25519 keys, which offer better security with smaller key sizes, but adoption is still limited.

Security experts recommend rotating DKIM keys every 6-12 months. Regular rotation reduces security risks and limits exposure if a key is compromised. When rotating keys, use a new selector so both old and new keys can coexist during the transition period, ensuring no authentication interruptions occur. After confirming the new key works, you can remove the old record.

A DKIM record is a TXT record added to your domain's DNS at [selector]._domainkey.yourdomain.com. Your email provider generates both the selector name and the public key value. The record format is v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY. Many providers (Google Workspace, Microsoft 365, SendGrid, Mailchimp) handle key generation automatically and provide the values to publish in your DNS.

DNS changes typically propagate within a few minutes to a few hours, depending on the TTL (Time To Live) set on your DNS records and your DNS provider. In most cases, expect visibility within 24 to 48 hours maximum, though it is often much faster in practice. After propagation, newly sent emails will include DKIM signatures.

When you enter a domain and selector, the tool performs a DNS TXT lookup at [selector]._domainkey.[domain]. It then displays the raw DKIM record and parses all tag-value pairs including version (v), key type (k), public key (p), flags (t), hash algorithms (h), and service type (s). This gives you a complete view of your DKIM configuration exactly as email receivers will see it.

You should check your DKIM configuration whenever you set up a new email provider, notice deliverability issues, after DNS changes, or as part of regular security audits. Periodic checks every 3-6 months help ensure your keys haven't expired and your configuration remains valid, especially since some providers rotate keys automatically.

Yes, this DKIM checker is completely free. Enter any domain and selector to validate your DKIM configuration instantly, with no account or sign-up required.
News & Articles

The Latest News and Articles

View All