Skip to content

Free DKIM Record Checker

Enter a domain and DKIM selector to look up and validate the DKIM record. Check key configuration, verify the public key, and identify common issues.

Common selectors:

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sending domain to cryptographically sign outgoing messages. The recipient's mail server can then verify the signature using a public key published in the sender's DNS records, confirming that the email was authorized by the domain owner and was not altered in transit.

Together with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance), DKIM forms the foundation of modern email authentication. While SPF verifies which servers can send email for a domain, DKIM verifies that the message content is authentic and unmodified.

How DKIM Works

When an email is sent from a DKIM-enabled domain, the sending mail server generates a cryptographic hash of certain email headers and the message body. This hash is encrypted using the domain's private key and added to the email as a DKIM-Signature header.

The receiving mail server extracts the selector (the s= tag) and domain (d= tag) from the DKIM-Signature header, looks up the public key at {selector}._domainkey.{domain} in DNS, and uses it to verify the signature. If the signature is valid, the recipient knows the email was genuinely sent by the claimed domain and has not been tampered with.

A DKIM DNS record is a TXT record containing tag-value pairs such as v=DKIM1 (version), k=rsa (key type), and p=... (the Base64-encoded public key).

Finding Your DKIM Selector

Every DKIM signature includes a selector that identifies which key pair was used to sign the message. To find your selector, open an email sent from your domain and view the full email headers. Look for the DKIM-Signature header and find the s= tag -- that's your selector.

Common selectors by email provider:

  • Google Workspace: google
  • Microsoft 365: selector1, selector2
  • Mailchimp: k1
  • Amazon SES: Varies per region (often CNAME-based)
  • SendGrid: s1, s2

DKIM and Custom Domains

For SaaS platforms that allow users to send email from their own custom domains -- such as transactional emails, notifications, or marketing campaigns -- DKIM is essential. Without proper DKIM signing, emails sent on behalf of a custom domain are likely to land in spam or be rejected entirely by receiving mail servers.

Setting up DKIM for custom domains involves generating a key pair, publishing the public key in the customer's DNS, and configuring the sending infrastructure to sign with the private key. This process needs to be repeated for each customer domain, which can become complex at scale.

SaaSKevin automates web custom domain onboarding with DNS routing verification, SSL provisioning, and request routing. Pair this with SPF and DMARC managed in your email platform to achieve full authentication compliance for your customers' domains.

Frequently Asked Questions

What is a DKIM selector?
A DKIM selector is a string used to locate the DKIM public key in DNS. The full DNS lookup is performed at {selector}._domainkey.{domain}. Different email services use different selectors -- for example, Google Workspace uses "google", Microsoft 365 uses "selector1" and "selector2", and Mailchimp uses "k1". A single domain can have multiple DKIM selectors for different email services.
How do I find my DKIM selector?
The easiest way is to look at the DKIM-Signature header in an email sent from your domain. The "s=" tag in that header contains the selector. You can also check your email provider's documentation -- Google Workspace uses "google", Microsoft 365 uses "selector1" or "selector2", and most ESPs document their selectors in their setup guides.
What does an empty DKIM public key mean?
An empty public key (p= with no value) means the DKIM key has been intentionally revoked. This is the standard way to deactivate a DKIM key per RFC 6376. Emails signed with a revoked key will fail DKIM verification. This is commonly done when rotating DKIM keys or decommissioning an email service.
What key length should my DKIM key be?
A 2048-bit RSA key is the current recommendation. While 1024-bit keys are still accepted by most providers, they are considered weak and could potentially be cracked. Some organizations are moving to Ed25519 keys, which offer strong security with shorter key sizes, but RSA 2048-bit has the broadest compatibility across email providers.
Can a domain have multiple DKIM records?
Yes, a domain can have multiple DKIM records, each under a different selector. This is common and expected -- for example, you might have one selector for Google Workspace, another for your marketing email service, and another for a transactional email provider. Each service signs emails with its own private key and publishes its public key under its own selector.

Need setup examples for real SaaS products? Browse our industry guides and explore all free domain tools.

Related Tools

SPF Checker

Look up and validate SPF records for any domain. Check for syntax errors, DNS lookup limits, and common configuration issues.

DMARC Checker

Look up and validate DMARC records for any domain. Check policy settings, alignment, and reporting configuration.

TXT Records

Look up and categorize TXT records for any domain. Identify SPF, DKIM, DMARC, domain verification, and other TXT records.