Free DKIM Checker

Instantly check your DKIM record by entering your domain name and selector. Our free DKIM lookup tool verifies your public key, validates syntax, detects misconfigurations, and identifies authentication failures. Get instant results – no signup required. 

For automated DKIM management and key rotation, see our Hosted DKIM service.

Your DKIM selectors will be detected automatically during lookup using the common selector list, so you won't have to enter them manually. Auto-Detect Selector

0+

Organisations worldwide

0+

Fortune 100 and governments

0+

countries served

How to Use This DKIM Checker

Check your DKIM record in 3 simple steps:

1

Enter Your Domain Name

Type in your domain (e.g., yourdomain.com), no http://, www, or mail. prefix needed. If you have multiple selectors, you'll check each one separately.

2

Enter Your DKIM Selector (or Leave Blank for Auto-Detection)

The selector is a label that identifies which public key to use. Common defaults: google, selector1, selector2, k1, s1.

3

Click Check

DKIM Results appear instantly. A pass means the DKIM record exists, is syntactically correct, and contains a valid public key.

Note: A passing DKIM check confirms the record is published correctly, but does not verify that your sending server has the matching private key configured. To test actual signing, send a test email and check the results.

What is a DKIM Record?

DKIM stands for DomainKeys Identified Mail. It is an email authentication protocol that lets sending servers digitally sign messages. A DKIM record is a DNS TXT record published at selector._domainkey.yourdomain.com that contains the public key that receivers use to verify signatures on your emails. DKIM protects against content tampering and spoofing, and is a key requirement for DMARC alignment and email deliverability.

For a deeper understanding, see our:

How Does DKIM Work?

DKIM signing and verification happen in four steps:

1
Signing

Your sending mail server signs the email with a private key stored on the server, creating a DKIM-Signature header that covers the message headers and body.

2
Transmission

The signed email (with DKIM-Signature header) is sent to the receiving mail server.

3
Key Lookup

The receiving server looks up the public key by querying your DNS record at selector._domainkey.yourdomain.com.

4
Verification

The receiver uses the public key to verify the signature. If the signature is valid, DKIM passes. If the signature is invalid or missing, DKIM fails.

What Does the DKIM Checker Verify?

Our DKIM checker runs 8 core checks on your DNS record. Here’s what each one means:

Record Existence

Confirms if a DKIM record exists at selector._domainkey.yourdomain.com. If no record is found, DKIM is not set up for this domain and selector.

1
Syntax Validation

Verifies that the record is correctly formatted per RFC 6376 (the DKIM standard), and flags missing or malformed tags.

2
Public Key Presence

Confirms if the p= tag is present and contains a non-empty public key. If p= is empty, the key has been revoked.

3
Key Algorithm

Identifies the key type: RSA (most common) or Ed25519 (newer, more efficient), and flags unknown algorithms.

4
Hash Algorithm

Confirms if h=sha256 is set, and flags h=sha1 as deprecated and weak.

5
Key Length

For RSA keys, flags keys under 2048 bits as weak, since RSA-2048 or Ed25519 are recommended.

6
Service Type Flag

Notes whether s=email is present. If absent, the record may not be processed correctly by all receivers.

7
DNS Path Confirmation

Shows the full DNS query path (selector._domainkey.domain.com) to help you verify the record location in your DNS provider.

8

Understanding Your DKIM Selector

A DKIM selector is a label in your DNS that identifies which public key to use. Many organizations have multiple DKIM records – one per email service provider (ESP) or mail server. The selector tells receivers which record to look up.

How to Find Your DKIM Selector

Method 1

Check an Email Header

  • 1

    Open an email sent from your domain (in Gmail, Outlook, etc.)

  • 2

    Click "Show original" or "View message source"

  • 3

    Find the DKIM-Signature header line

  • 4

    Look for the s= tag—that is your selector

Example: s=google means your selector is "google"
Method 2

Check Your Email Provider's Admin Console

Different infrastructure providers utilize different default string structures. Use the table to reference common default selector setups.

ESP Platform Selectors Infrastructure Note
Google Workspace google Single selector for all Google-hosted email deployments
Microsoft 365 selector1, selector2 Microsoft uses two keys alternately for rotation and redundancy
Mailchimp k1 Standard baseline key used heavily for transactional marketing emails
SendGrid s1, s2 or s201801, s201802 Verify your specific customer SendGrid dashboard for exact values
Amazon SES Custom (varies) You define this specific string profile manually when generating DKIM
Zoho Mail zmail1 Single default system validation selector parameter
Office 365 selector1, selector2 Follows structural alignment rules identical to Microsoft 365 cloud routing

What to Do If You Don’t Know Your Selector

  • Make our tool auto-detect it: Skip manual lookups entirely. Let our automated scanner analyze your domain infrastructure to identify active selectors instantly.

  • Try common defaults like google, selector1, selector2, k1, s1, or mail

  • Check your email service provider's help docs (most providers show their default selector)

  • If you still can't find it, contact your email provider's support team

Note: A single domain can have multiple selectors.

Common DKIM Errors and How to Fix Them

Here are the five most common DKIM issues and how to resolve them:

Error Code 01

No DKIM Record Found

Cause: The DNS TXT record is not published at the expected location, or the wrong selector is being checked.

Recommended Fixes:

  • Verify the selector name is correct
  • Confirm the TXT record is published
  • Check the full DNS path
  • Wait up to 72 hours
Error Code 02

Selector Mismatch

Cause: The selector in the email's DKIM-Signature header doesn't match the selector you're checking in DNS.

Recommended Fixes:

  • Verify the selector in the email matches the one you're using in the checker
  • If using multiple mail servers, ensure they all use the same selector
  • Check your mail server's DKIM config to confirm the selector setting
Status: Revoked

Key Revoked (p= tag is empty)

Cause: The public key has been intentionally revoked by leaving the p= tag empty or undefined.

Recommended Fixes:

  • Generate a new DKIM key pair
  • Publish the new public key
  • Update the private key
  • Re-run the checker
Optimization

Weak Key Algorithm or Key Length

Cause: The key is RSA-1024 (too short), uses SHA-1 (deprecated), or has another weak configuration.

Recommended Fixes:

  • Rotate to RSA-2048 or Ed25519
  • Use SHA-256 (h=sha256)
  • Check your provider's settings
Alignment Error

DKIM Passes But DMARC Fails

Cause: DKIM signature is valid, but the signing domain (d= in the DKIM-Signature header) doesn't align with the From address domain. DMARC requires alignment.

Recommended Fixes:

  • Match the DKIM d= domain to the From domain
  • Relaxed alignment allows subdomains
  • Verify DKIM and SPF alignment
  • Re-test DKIM and DMARC alignment

DKIM and DMARC: How They Work Together

DKIM and DMARC are both email authentication standards, but they serve different purposes:

DKIM Signs Messages

DKIM uses a private key on your mail server to digitally sign emails. Receivers verify these signatures using the public key from your DNS record. DKIM proves that a message came from an authorized mail server and wasn't altered in transit.

&
DMARC Enforces Policy

DMARC is a policy standard that tells receivers what to do if DKIM (or SPF) passes or fails. DMARC requires that DKIM signatures align with the From domain before trusting them.

For DMARC to pass via DKIM, two things must be true:
1

The DKIM signature must be cryptographically valid

2

The signing domain (d= in the DKIM-Signature) must align with the From address domain

Example: An email signed with DKIM from mail.example.com will only pass DMARC alignment if the From address is either @example.com (exact match) or @mail.example.com with aspf=r (relaxed mode).

If your DKIM checks pass but you're still having deliverability issues, the problem might be DMARC policy or SPF misalignment. Check your DMARC record and SPF record with our free tools.

Don't have a DMARC record yet? Generate one free!

Check your DMARC record?

Instantly verify if your DMARC record is live, valid, and free of syntax errors using our free lookup tool.

DMARC Checker

At p=none? Move to enforcement.

PowerDMARC's hosted DMARC guides you safely from monitoring to full p=reject enforcement with real-time visibility.

Hosted DMARC

Want ongoing monitoring?

PowerDMARC automatically parses aggregate reports and alerts you when new senders appear or authentication issues arise.

Start Free

What Our Clients & Partners Say About Us

Steve Smith
Steve Smith

Auckland Regional Manager, Advantage

“Our business is based on trust, not only between us and clients but partners as well. The great partnership we have with PowerDMARC allows us to deliver exceptional services to our clients.”

Frequently Asked Questions

What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication protocol that lets mail servers digitally sign emails. Receivers verify the signature using a public key from your DNS to confirm the email came from an authorized server and wasn't modified in transit. Read our full DKIM guide for more.
How do I check my DKIM record?
Enter your domain and selector in the checker above and click "Check DKIM." Results appear instantly. If you have email access, you can also check manually: view the email source of a message sent from your domain, find the DKIM-Signature header, and note the s= (selector) value. Then look up the DNS TXT record at selector._domainkey.yourdomain.com using dig or nslookup on the command line.
What is a DKIM selector?
A DKIM selector is a label in your DNS that identifies which public key to use. Organizations often have multiple DKIM records, one per mail provider. Common selectors include google (Google Workspace), selector1 (Microsoft 365), k1 (Mailchimp), and s1 (Sendgrid). See the 'Understanding Your DKIM Selector' section above for common defaults.
Why is DKIM failing?
The most common causes are: (1) wrong selector used, (2) DKIM record not published in DNS, (3) signing domain (d=) doesn't align with From address, or (4) key has been revoked. Use the checker above to diagnose which check is failing, then see the 'Common DKIM Errors' section for fixes specific to your error.
Does DKIM guarantee email delivery?
No. DKIM passing confirms that a message was signed by an authorized server and wasn't altered, it does not guarantee delivery. Delivery depends on your mail server's reputation, spam filters, and your DMARC policy. DKIM is one part of a broader email authentication strategy that includes SPF and DMARC.

Lookup, check, and validate your record using our Free DKIM record checker!