Limited time: 50% OFF on your first payment.

Check Your DKIM Record

Verify your DKIM (DomainKeys Identified Mail) DNS record for free. Authenticate your emails cryptographically.

Enter Your Domain & Selector

You have 5 more free checks today.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method defined in RFC 6376. It uses asymmetric cryptography — a private key signs outgoing messages on your mail server, and a public key published in DNS allows any receiving server to verify that signature. If the message was tampered with after signing, the signature breaks.

Unlike SPF, DKIM authenticates the message content itself (headers and/or body), not just the sending IP. This makes it resilient to email forwarding scenarios where the sender's IP changes.

Why do you need DKIM?

1Message integrity

Proves the email body and headers have not been modified since it left your server

2Survives forwarding

Signature is embedded in the email, not tied to the sending IP — stays valid through relays

3Required for DMARC

DMARC can use DKIM alignment as the basis for pass/fail decisions

4Deliverability boost

Gmail, Outlook, and others heavily reward DKIM-signed mail in filtering decisions

How DKIM works — step by step

1

You generate a public/private key pair and configure your mail server to use the private key.

2

You publish the public key as a DNS TXT record at `selector._domainkey.yourdomain.com`.

3

When you send an email, the mail server hashes selected headers and the body, then signs that hash with the private key.

4

The signature is added as a `DKIM-Signature` header on the email.

5

The receiving server reads the `DKIM-Signature`, fetches the public key from DNS, decrypts the signature, and re-hashes the message to compare.

6

A match means the message is authentic and unaltered. A mismatch indicates tampering or a misconfiguration.

DKIM DNS record (public key)

DNS TXT record at selector._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC...AQAB

Key fields

v=DKIM1— version identifier
k=rsa— key type (rsa or ed25519)
p=— base64-encoded public key
h=— acceptable hash algorithms (sha256)
s=— service type (email or *)
t=s— strict mode flag

DKIM-Signature header (in the email)

Email header added by your sending server
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=yourdomain.com; s=mail2024;
            h=from:to:subject:date:message-id;
            bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
            b=mY93xZ...

Signature field meanings

d= (signing domain)
The domain that holds the public key. Must align with the From domain for DMARC
s= (selector)
Pointer to which DNS record to use — lets you rotate keys (e.g. s=jan2025, s=feb2025)
h= (headers signed)
Which headers were included in the hash — at minimum: From, To, Subject, Date
bh= (body hash)
Hash of the canonicalized message body, ensures body integrity
b= (signature)
The actual cryptographic signature of the headers listed in h=
c= (canonicalization)
How headers/body are normalized before hashing: simple or relaxed

Common DKIM problems

Body modification

Some mailing lists or virus scanners alter the body, breaking the bh= body hash

Missing DNS record

Verify your TXT record is published and propagated before sending

Wrong selector

The s= in the signature must match the selector in the DNS record name

Key length too short

Use at least 2048-bit RSA keys. 1024-bit keys are considered insecure and rejected by some providers

FAQs

Frequently Asked Questions

DKIM (DomainKeys Identified Mail) is a cryptographic authentication method that adds a digital signature to your emails. This signature allows receiving servers to verify that the email was indeed authorized by the domain owner and, more importantly, that the message content hasn't been tampered with or altered during transit between servers.

A DKIM selector is a unique string used to locate the specific public key in your DNS records. It allows a single domain to have multiple DKIM keys for different services (e.g., marketing, support). You can usually find the selector in your email service provider's (ESP) authentication settings or by inspecting the headers of a sent email for the 's=' tag.

A missing DKIM record usually points to one of three issues: the selector name is incorrect, the record hasn't finished propagating through global DNS, or the TXT record was added to the wrong domain level. Always double-check the selector provided by your ESP and ensure there are no extra spaces or hidden characters in your DNS entry.

Yes, you can and should have multiple DKIM records if you use multiple email services. Each service will use a unique selector (e.g., google._domainkey, mandrill._domainkey), allowing them to exist simultaneously in your DNS without conflict. This is a best practice for maintaining security across different platforms.

The selector is the prefix in your DKIM DNS record (selector._domainkey.yourdomain.com). Google Workspace typically uses google, Microsoft 365 uses selector1 and selector2, and SendGrid uses s1 and s2. You can also read the DKIM-Signature header of a sent email and look at the s= tag to find it.

It means the checker couldn't find a valid key at the selector you queried, usually because the record wasn't published, the selector is wrong, or DNS hasn't propagated yet. Confirm the exact selector from your email provider, re-publish the TXT or CNAME record in DNS, and recheck after propagation.