Speak to an Email Deliverability Consultant FOR FREE

DKIM Lookup and DKIM Record Checker

Q: What is DKIM, and what does a DKIM record do?

DKIM (DomainKeys Identified Mail) is an email authentication protocol that adds digital signatures to messages. Your mail server signs outgoing emails with a private key, receivers verify signatures using the public key published in DNS at selector._domainkey.domain. DKIM confirms messages came from your domain and weren't tampered with in transit.

Q: Why should I check DKIM records regularly?

Selector mismatches break authentication, key rotations require DNS updates, and ESP migrations change signing configuration. Check DKIM monthly and after infrastructure changes to confirm public keys remain accessible and selectors align with mail server configuration.

Q: What is DKIM lookup used for?

A DKIM lookup retrieves and validates your domain's DKIM record from DNS. It verifies the public key exists at the correct selector, checks tag syntax, confirms cryptographic configuration, and tests whether signatures will verify successfully.

Q: How does a DKIM checker help?

A DKIM checker simulates what receiving mail servers do during signature verification. It shows whether your public key is published correctly, warns when selectors mismatch, and flags weak cryptography that causes reputation penalties.

Q: What is a DKIM selector, and why does it matter?

A DKIM selector is a label that identifies which public key to use for verification. Mail servers include the selector in email signatures, receivers query selector._domainkey.domain for the key. Wrong selector means lookup fails — authentication breaks despite valid signatures.

Q: Can I use multiple DKIM selectors for one domain?

Yes. Multiple selectors enable key rotation, third-party sending, and department-specific keys. Each selector points to a different public key. Rotate selectors when changing keys to maintain verification for messages signed with old keys.

Q: What happens if my DKIM record is missing or invalid?

Without a valid DKIM, messages have no signature verification. Attackers can tamper with content, spoof sender identity, and impersonate your domain. Receivers treat unsigned messages suspiciously — deliverability drops, spam folder rates increase.

Q: How does DKIM work with SPF and DMARC?

DKIM provides signature verification and message integrity. SPF authorizes sending IPs. DMARC combines both alignment rules and policy enforcement. DKIM passes when the signature verifies, and the signing domain aligns with the Header From. DMARC requires either SPF or DKIM to pass alignment.

Q: Why is my DKIM failing even though I have a published record?

Most failures come from selector mismatches or key mismatches. Mail server signs with one selector, DNS publishes at a different selector. Or the public key in DNS doesn't correspond to the private key on the mail server. Check which selector your mail server uses, and verify that it matches the DNS label exactly.

Q: What's the difference between DKIM and SPF?

SPF authorizes sending servers by IP address — validated during SMTP connection. DKIM signs message content with cryptographic signature — validated after receipt. SPF breaks with forwarding (IP changes), DKIM survives forwarding (signature travels with message). Use both for complete protection.

Check DKIM Records to Verify Signatures & Stop Email Tampering

Run a free DKIM check on any domain and selector — our DKIM lookup tool validates digital signatures, verifies public key configuration, and shows exactly what's breaking authentication and enabling message tampering.

Enter the domain and selector to check DKIM records

Trusted by 1000+ companies

Check DKIM Records for Any Domain in Seconds

Enter a domain name and selector to run a DKIM lookup and check DKIM configuration. The DKIM record checker returns:

Whether a DKIM record exists

Signature algorithm and hash settings

Complete DKIM record string with all tags

Selector verification and DNS label accuracy

Public key value and key type (RSA, Ed25519)

Validation status with detailed error explanations

Receiving servers perform this exact DKIM check when your emails arrive. Run it before launching campaigns — catch broken signatures and missing selectors before they tank authentication (and enable attackers to tamper with your messages).

What Our DKIM Checker Tests

The DKIM lookup tool runs four critical diagnostics on your domain's DKIM record:

Free email warmup➔

DKIM Record Presence and Selector Validation

Verifies a valid DKIM TXT record exists at selector._domainkey.yourdomain.com. Confirms selector matches what your mail server uses to sign messages. One selector mismatch means receiving servers can't find your public key — every email fails DKIM authentication despite having valid signatures.

Public Key and Cryptographic Configuration

Extracts and validates the public key from your DKIM record. Verifies key type (RSA or Ed25519), key length (1024, 2048, or 4096-bit), and cryptographic algorithm (rsa-sha256 vs rsa-sha1). Weak keys or deprecated algorithms get flagged by modern receivers — messages pass DKIM technically, but get penalized in reputation scoring.

Tag Syntax and Record Formatting

Parses required tags (v, p) and optional tags (k, t, s, h, n) to confirm proper formatting. Checks version tag correctness, validates service types, and verifies flags. One syntax error makes the entire record unparsable. Receiving servers ignore broken records and treat messages as unsigned — zero DKIM protection.

Signature Integrity and Key Matching

Tests whether the public key in DNS corresponds to signatures your mail server generates. Detects key mismatches that occur when you regenerate keys without updating DNS, or when mail servers use the wrong selectors. Mismatch means every outbound message fails DKIM verification regardless of proper signing.

Figuring Out What DKIM Check Results Mean

The DKIM record checker classifies issues, so you know what broke and how to fix it.

Valid DKIM Record

Record exists at the correct selector, syntax follows spec, public key present and properly formatted, tags configured correctly. Clean DKIM — signatures verify successfully, message integrity confirmed, and authentication passes.

Syntax and Formatting Errors

Version tag missing, public key malformed, incorrect delimiters, invalid tag values. Servers can't parse your record. They treat messages as unsigned despite valid signatures from the mail server — zero DKIM protection while thinking you're protected.

Selector Not Found

The record might exist, but the selector in the email headers doesn't match the DNS record. Mail server signs with one selector, DNS publishes at a different selector. Common cause — ESP migration where the old selector remains in the mail config. Result — all DKIM checks fail at the verification stage.

Missing or Empty Public Key

Record exists, but p= tag empty or missing entirely. Empty key explicitly revokes DKIM for that selector — use when retiring keys. A missing key means an incomplete configuration. Either way, authentication fails for every message.

Key Type or Algorithm Issues

Key type unsupported by receiver, algorithm deprecated (rsa-sha1), key length below minimum (512-bit). Modern receivers reject weak cryptography. Messages technically authenticate, but get reputation penalties or outright rejection.

DKIM Tags and Record Structure

DKIM records published as DNS TXT records at selector._domainkey.domain — tags define key properties and signature rules.

Tag	Description	Valid Values	Impact
v	Protocol version	DKIM1	Only valid value — missing invalidates record
p	Public key (required)	Base64 encoded key	Empty revokes DKIM, missing breaks authentication
k	Key type	rsa, ed25519	Defaults to rsa — must match mail server configuration
t	Flags	y, s	Testing allows failures, strict requires exact domain match
s	Service types	email, *	Restricts which services can use this key
h	Acceptable hash algorithms	sha1, sha256	Limits which algorithms receivers accept
n	Administrator note	Free text	Optional metadata — not processed by receivers

DKIM Signature Algorithms and Security

Algorithm choice affects both security and deliverability — receivers penalize weak cryptography.

Algorithm	Security Level	Adoption	Recommendation
rsa-sha1	Weak — deprecated	Legacy only	Avoid — major receivers penalize or reject
rsa-sha256	Strong — current standard	Universal support	Use by default for all mail
ed25519	Strongest — emerging	Limited receiver support	Use when receivers support it

Use rsa-sha256 with 2048-bit keys for maximum compatibility. Upgrade to Ed25519 only after confirming receiver support.

Complete Email Authentication with DKIM, SPF, and DMARC

DKIM doesn't work alone — proper authentication requires SPF, DKIM, and DMARC together. Run a DKIM lookup to validate signatures, then check SPF records and check DMARC policy.

If you've configured DKIM but emails still land in spam, authentication isn't your only problem. Book a free email deliverability consultation, and we'll:

Analyze domain reputation and blacklist status

Provide specific fixes to restore inbox placement

Audit your complete authentication setup (SPF, DKIM, DMARC)

Identify content triggers causing spam filtering

Stop losing revenue to spam folders today.

Frequently asked questions
about our FREE SPF Generator

Here’s everything you need to know about our SPF Generator:

What is DKIM, and what does a DKIM record do?

Why should I check DKIM records regularly?

What is DKIM lookup used for?

How does a DKIM checker help?

What is a DKIM selector, and why does it matter?

Can I use multiple DKIM selectors for one domain?

What happens if my DKIM record is missing or invalid?

How does DKIM work with SPF and DMARC?

Why is my DKIM failing even though I have a published record?

What's the difference between DKIM and SPF?