DKIM Verify

Look up DKIM public keys and verify selector configuration

Enter a selector (e.g. "default", "google", "s1") and domain
Verifying DKIM record...

DomainKeys Identified Mail (DKIM), specified in RFC 6376, adds a cryptographic signature to outgoing messages that receiving servers use to verify the email has not been tampered with in transit. A broken or missing DKIM record means those signatures cannot be validated, which directly impacts your sender reputation and inbox placement. Use the InboxTooling DKIM Check tool to test your configuration instantly.

What the DKIM Checker Validates

When you enter your domain and DKIM selector, the tool queries DNS for the corresponding TXT record at selector._domainkey.yourdomain.com and performs a thorough analysis.

Key Checks Performed

  • Record existence: Confirms that a DKIM TXT record is published at the correct selector subdomain.
  • Public key validity: Parses the p= tag to verify the public key is well-formed and Base64-encoded. An empty p= tag indicates a revoked key.
  • Key type and length: Identifies the algorithm (rsa or ed25519) and key size. RSA keys shorter than 1024 bits are considered insecure; 2048-bit keys are the current recommendation.
  • Tag analysis: Evaluates optional tags such as t=s (strict domain matching), t=y (testing mode), and h= (acceptable hash algorithms).
  • Syntax validation: Catches malformed records, including missing required tags, invalid characters, or line-break issues introduced during DNS entry.

How to Use the DKIM Tester

Navigate to the DKIM Check tool and enter two values:

  1. Domain: Your sending domain (e.g., example.com).
  2. Selector: The DKIM selector string used by your mail server or ESP. Common selectors include google (Google Workspace), selector1 / selector2 (Microsoft 365), s1 / s2 (various ESPs), or custom values.

If you do not know your selector, use our Header Analyzer to inspect a recent message. The DKIM-Signature header contains a s= tag that reveals the selector.

Understanding DKIM Results

Pass

The DKIM record exists, the public key is valid, and the configuration follows best practices. Receiving servers can successfully verify signatures made with the corresponding private key.

Warnings

The record is functional but has room for improvement. Common warnings include using a 1024-bit RSA key (upgrade to 2048-bit), running in test mode (t=y), or missing recommended tags.

Fail

The record is missing, contains an invalid key, or has syntax errors that prevent signature verification. This requires immediate attention, as Gmail, Outlook, and Yahoo will not be able to validate your messages.

Why DKIM Matters for Deliverability

Authentication Requirements

Since early 2024, Gmail and Yahoo require either SPF or DKIM authentication to pass for all inbound mail, and bulk senders must pass both. Microsoft Outlook applies similar scrutiny. A valid DKIM signature builds long-term sender reputation tied to your signing domain, independent of sending IP.

DMARC Alignment

DKIM is one of two mechanisms (alongside SPF) that DMARC relies on for alignment. For DMARC to pass via DKIM, the d= domain in the DKIM signature must align with the From: header domain. Our DKIM checker flags alignment issues so you can resolve them before they affect your DMARC compliance.

Message Integrity

Unlike SPF, which only validates the sending server, DKIM verifies that the message content has not been altered after signing. This includes headers such as From, Subject, and Date, as well as the message body. It is a stronger signal of legitimacy to receiving mail servers.

FAQ

What is a DKIM record?

A DKIM record is a DNS TXT record published at selector._domainkey.yourdomain.com that contains a public cryptographic key. Receiving mail servers use this key to verify the DKIM signature attached to incoming messages, confirming the email was authorized by the domain owner and was not modified in transit. The standard is defined in RFC 6376.

How do I check if my DKIM record is valid?

Enter your domain and DKIM selector into the DKIM Verify tool to instantly query DNS and validate your record. The tool checks for record existence, public key validity, key length, and correct tag syntax. If you do not know your selector, inspect the s= tag in the DKIM-Signature header of a sent message using the Header Analyzer.

What is a DKIM selector and how do I find it?

A DKIM selector is a string that identifies which DKIM key pair to use for a given domain, allowing a single domain to publish multiple keys for different mail streams or providers. Common selectors include google for Google Workspace, selector1 and selector2 for Microsoft 365, and custom values set by your ESP. You can find your selector by examining the s= tag in the DKIM-Signature header of any email sent from your domain.

What key size should I use for DKIM?

Use a 2048-bit RSA key at minimum. Keys of 1024 bits are still functional but are considered weak by modern standards, and some security-focused receivers may treat them with reduced trust. If your DNS provider supports records longer than 255 characters without issues, a 2048-bit key is the current industry recommendation per updated guidance alongside RFC 8301.

What happens when DKIM verification fails?

When DKIM fails, the receiving server cannot confirm the message's authenticity or integrity, which may result in the email being sent to spam or rejected outright. A DKIM failure also means the message cannot pass DMARC alignment via DKIM, leaving SPF as the only fallback. Use the DKIM Verify tool to diagnose common failure causes such as missing records, revoked keys, or DNS propagation delays.

How does DKIM relate to DMARC?

DMARC, defined in RFC 7489, requires at least one of SPF or DKIM to both pass and align with the From: header domain. For DKIM alignment, the d= domain in the DKIM signature must match (or be a subdomain of) the From: domain. Passing DKIM with proper alignment is especially important for forwarded mail, since SPF often breaks when messages are relayed through intermediary servers.

Next Steps

After confirming your DKIM setup, validate your SPF record and review your DMARC policy. For a consolidated view of your entire authentication stack, use the Header Analyzer on a live message to see SPF, DKIM, and DMARC results as evaluated by the receiving server.

Stay on top of your email authentication. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.

Frequently Asked Questions

What is a DKIM record?

A DKIM record is a DNS TXT record published at selector._domainkey.yourdomain.com that contains a public cryptographic key. Receiving mail servers use this key to verify the DKIM signature attached to incoming messages, confirming the email was authorized by the domain owner and was not modified in transit. The standard is defined in RFC 6376.

How do I check if my DKIM record is valid?

Enter your domain and DKIM selector into the DKIM Verify tool to instantly query DNS and validate your record. The tool checks for record existence, public key validity, key length, and correct tag syntax. If you do not know your selector, inspect the s= tag in the DKIM-Signature header of a sent message using the Header Analyzer.

What is a DKIM selector and how do I find it?

A DKIM selector is a string that identifies which DKIM key pair to use for a given domain, allowing a single domain to publish multiple keys for different mail streams or providers. Common selectors include google for Google Workspace, selector1 and selector2 for Microsoft 365, and custom values set by your ESP. You can find your selector by examining the s= tag in the DKIM-Signature header of any email sent from your domain.

What key size should I use for DKIM?

Use a 2048-bit RSA key at minimum. Keys of 1024 bits are still functional but are considered weak by modern standards, and some security-focused receivers may treat them with reduced trust. If your DNS provider supports records longer than 255 characters without issues, a 2048-bit key is the current industry recommendation per updated guidance alongside RFC 8301.

What happens when DKIM verification fails?

When DKIM fails, the receiving server cannot confirm the message's authenticity or integrity, which may result in the email being sent to spam or rejected outright. A DKIM failure also means the message cannot pass DMARC alignment via DKIM, leaving SPF as the only fallback. Use the DKIM Verify tool to diagnose common failure causes such as missing records, revoked keys, or DNS propagation delays.

How does DKIM relate to DMARC?

DMARC, defined in RFC 7489, requires at least one of SPF or DKIM to both pass and align with the From: header domain. For DKIM alignment, the d= domain in the DKIM signature must match (or be a subdomain of) the From: domain. Passing DKIM with proper alignment is especially important for forwarded mail, since SPF often breaks when messages are relayed through intermediary servers.