DKIM Record Validator

What Does This Tool Check?

What is DKIM (DomainKeys Identified Mail)?

DKIM is an email security protocol that cryptographically verifies that email messages were signed by the domain they were sent from. The signature is carried as a header field in the message, and the receiving server verifies it using the public key from DNS.

This tool queries <selector>._domainkey.<domain> for a DNS TXT record to check for the presence and content of a DKIM key.

What is a selector?

A domain can use multiple DKIM keys. The selector specifies which key is being used. Your email provider gives you a selector value — for Google it's typically google, for Microsoft 365 it's selector1 and selector2.

How to Interpret Results

Understanding DKIM results

Record found and active

If the p= parameter is populated, the DKIM key is active. Emails are being signed with this selector. The key type is usually rsa or ed25519.

Record found but p= is empty

The key has been intentionally revoked. This selector should no longer be used. Generate a new selector and key pair.

Record not found

Either the selector name was entered incorrectly, DKIM has not yet been configured, or DNS propagation hasn't completed. Make sure you're using the selector name documented by your provider.

Common Mistakes

Frequent DKIM configuration errors

• Entering the wrong selector name. Use the exact selector name documented by your email provider.
• Forgetting to enable DKIM in the email provider dashboard before publishing the DNS record.
• Entering long DKIM TXT records as two separate strings instead of one — some DNS editors split automatically, others don't.
• Using an RSA 1024-bit key. A minimum of 2048-bit is recommended today.
• Deploying a new key without revoking the old one — having two simultaneous keys can cause unexpected behavior.

FAQ

Frequently asked questions