DKIM record checker

A DKIM checker is a tool that validates the DomainKeys Identified Mail (DKIM) record for a specific domain and selector. It queries DNS for the public key published at selector._domainkey.yourdomain.com, verifies the record syntax, and confirms the key can be used to authenticate email signatures.

The DKIM selector is usually provided by your email service provider (e.g., 'google' for Google Workspace, 'selector1' for Microsoft 365). You can also find it in the email headers of a message sent from your domain -- look for the 's=' tag in the DKIM-Signature header. Our auto-detect feature scans the most common selectors automatically.

DKIM adds a cryptographic digital signature to your emails, allowing receiving servers to verify that the message genuinely came from your domain and was not altered in transit. This directly improves inbox placement rates, protects your brand reputation from spoofing, and is required for DMARC alignment -- a prerequisite for BIMI logo display.

If the check fails, common causes include: the DKIM record is missing from DNS, the selector is incorrect, the record has syntax errors, the key has been revoked, or DNS propagation hasn't completed yet. Double-check the selector with your email provider, verify the DNS record is published correctly, and allow 24-48 hours for propagation.

A 2048-bit RSA key is the recommended minimum for DKIM. While 1024-bit keys still technically work, they are considered cryptographically weak and some providers may flag them. Many modern email services now default to 2048-bit keys. If your DNS provider has TXT record length limits, you can split the key across multiple strings within the same record.

Yes, you can have multiple DKIM records using different selectors. This is common when you use multiple email services (e.g., Google Workspace for business email and SendGrid for transactional mail). Each service gets its own unique selector, and all can coexist without conflict since each record lives at a different DNS hostname.

SPF verifies that an email was sent from an authorized IP address by checking the envelope sender, while DKIM verifies that the email content has not been tampered with using cryptographic signatures on the message headers and body. Both are complementary -- SPF authorizes the sending server, DKIM authenticates the message itself. Together they form the foundation for DMARC.

DKIM alignment in DMARC checks that the domain in the DKIM signature (d= tag) matches the From header domain. If alignment fails for both DKIM and SPF, DMARC will apply its configured policy (none, quarantine, or reject). Relaxed alignment allows subdomain matching (e.g., mail.example.com passes for example.com), while strict requires an exact domain match.

DKIM key rotation is the practice of periodically generating new DKIM key pairs and updating your DNS records. This limits the window of exposure if a private key is compromised. Best practice is to rotate keys every 6-12 months. During rotation, publish the new key with a new selector before removing the old one, ensuring uninterrupted email authentication.

After adding or updating a DKIM record in DNS, propagation typically takes 15 minutes to 48 hours depending on your DNS provider and the TTL (Time To Live) settings. During this window, some receiving servers may not yet see your new record. We recommend waiting at least 1 hour before testing, and up to 24 hours for full global propagation.