Back to all tools
EMAIL · DKIM · EXTERNAL RESOLVER

DKIM Checker

Check DKIM records to confirm email authenticity and guard against spoofing.

~/pingie - dkim-checker
ready
AUTOAuto-detect
defaultdefault
googlegoogle
mailmail
sel1selector1
sel2selector2
dkimdkim
emailemail
Gmail20221208 (Gmail)
202320230601
...Custom...

Provide a domain and choose a DKIM selector to check.

The toolkit

Every network tool you'll ever need.

Purpose-built utilities for ports, IPs, DNS and email. Completely free, all powered by external probes.

Free DKIM checker: Look up and validate any domain's DKIM record

DKIM (DomainKeys Identified Mail) is a DNS TXT record published at <selector>._domainkey.<domain> . It contains a public key that receiving mail servers use to verify the cryptographic signature attached to outgoing emails. When the signature matches the public key in DNS, the receiver knows the message was not altered in transit and genuinely came from an authorized sender.

This tool retrieves that DNS record, parses its tags, and reports whether the configuration is valid. You get the raw record, the parsed key-value pairs, the key type, the public key length, and any warnings or errors, all from a single lookup.

How to check a DKIM record

The lookup queries <selector>._domainkey.<domain> over DNS and returns the TXT record stored there. Here is how to run it:

  1. Open the DKIM Checker from the tool menu.
  2. Enter the domain you want to inspect (for example, example.com ).
  3. Optionally enter a selector. If you leave it blank, the tool tries common selectors automatically.
  4. Click Check . The tool queries DNS and validates the record.
  5. Review the results: selector used, raw DKIM record, validity status, parsed tags, key type, public key length, and any errors or warnings.

No account is needed. The lookup happens server-side against live DNS, so results reflect the current published state of the record.

Auto-detection: What happens when you skip the selector

DKIM selectors are not listed anywhere in standard DNS. There is no DNS record type that advertises which selectors a domain uses. Because of this, the only way to find an active selector without prior knowledge is to try known values one by one.

When you leave the selector field empty, the tool attempts these in order:

  • default
  • google
  • mail
  • selector1
  • selector2
  • dkim
  • email
  • Date-based Gmail selectors: 20221208 , 20230601

If none of these return a record, the tool reports no DKIM found. In that case, check your email provider's documentation for the correct selector and enter it manually.

What the results tell you

Each DKIM record is a string of tag-value pairs. The checker parses these and flags anything worth attention. Here is what each output field means:

  • Selector: The label used for the successful lookup, useful when auto-detection found the record.
  • Raw DKIM record: The exact TXT string returned from DNS.
  • Validity status: Whether the record passes all required checks.
  • Key type (k): Either rsa (most common) or ed25519 (newer, not yet universally supported by receivers).
  • Public key length: The bit length of the RSA key. Short keys trigger a warning because they are considered weak.
  • Version tag: v=DKIM1 is recommended but not required by the specification.
  • Errors and warnings: Specific issues such as a missing public key, a revoked key ( p= with an empty value), testing mode active ( t=y ), or a weak hash algorithm ( h=sha1 only).

An empty p tag is not a configuration error. It is the standard mechanism for revoking a DKIM key. The checker reports it as a revoked key so you can distinguish it from a misconfiguration.

When to run a DKIM record check

DKIM verification is relevant in several situations beyond initial setup. Use this tool when:

  • You have just configured DKIM at your email provider and want to confirm the record is live in DNS.
  • Emails are failing DMARC checks and you need to isolate whether the DKIM signature is the cause.
  • You are migrating to a new email provider and need to verify both old and new selectors.
  • A security audit requires you to document key types and lengths across your sending domains.
  • You suspect a key has been revoked and want to confirm the p tag status.
  • You are checking a third-party sender (newsletter platform, CRM) that signs mail on your domain's behalf.

DKIM testing is also worth running periodically after DNS migrations, since TTL-related propagation issues can temporarily break signing even when the record looks correct in your DNS provider's dashboard.

DKIM and the broader email authentication picture

DKIM handles message integrity and sender authentication at the signature level. It works alongside SPF, which controls which IP addresses may send for a domain, and DMARC, which defines policy for what receivers should do when SPF or DKIM checks fail.

If you are diagnosing a deliverability problem, checking the DKIM record is one step. You may also want to review your DMARC policy using the DMARC Checker to see how the two records interact. Both tools are available from the Pingie tool index .

FAQ

A DKIM record is a DNS TXT record published at <selector>._domainkey.<domain> . It contains a public key that receiving mail servers retrieve to verify the cryptographic signature in the email's header. The sending server signs outgoing mail with the corresponding private key. If the signature matches the public key in DNS, the message is considered authentic and unmodified in transit.

A selector is a label that forms part of the DNS lookup path. Because a domain can publish multiple DKIM keys (for different sending services or key rotation), the selector tells receivers which specific key to fetch. It appears in the d= and s= fields of the DKIM-Signature header on every signed email. Selectors are not listed in any standard DNS record, so they must be known in advance or guessed from common values.

When no selector is provided, the tool issues DNS TXT queries for a predefined list of common selector names in sequence: default , google , mail , selector1 , selector2 , dkim , email , and a set of date-based Gmail selectors. It stops at the first one that returns a valid TXT record. If none match, the tool reports that no DKIM record was found and prompts you to enter the selector manually.

A revoked key means the DNS record exists but the public key tag is empty ( p= ). This is the standard DKIM mechanism for retiring a key without removing the record entirely. Receiving mail servers that encounter an empty p tag treat any signature using that selector as invalid. The checker distinguishes this from a missing record or a malformed record, reporting it specifically as a revocation rather than an error.

Three warnings are worth acting on. First, a short RSA key (below 1024 bits, sometimes below 2048 bits depending on policy) is considered cryptographically weak and can be broken. Second, t=y means the domain is in testing mode, so receivers may not enforce DKIM failures. Third, h=sha1 alone flags use of a deprecated hash algorithm. Each of these represents a real deliverability or security risk rather than a cosmetic issue.

DKIM operates at the message level. It attaches a cryptographic signature to an email and publishes the corresponding public key in DNS so receivers can verify the signature. DMARC operates at the policy level. It reads the results of DKIM and SPF checks and tells receivers what to do when those checks fail (nothing, quarantine, or reject). DKIM proves integrity; DMARC enforces a response. You can inspect your DMARC configuration with the DMARC Checker .

The most common reasons are DNS propagation delay (records can take minutes to hours to become visible globally), a selector mismatch (the auto-detection list does not include every possible selector), or a typo in the DNS entry. Try entering the exact selector your email provider gave you. If the record still does not appear, verify the TXT record is saved correctly in your DNS provider's control panel and check that the hostname format matches <selector>._domainkey.<domain> exactly.

Yes. The checker reads and reports the key type tag ( k= ) and handles both rsa and ed25519 records. Ed25519 produces shorter keys with strong security properties, but receiver support is not yet universal. Some older mail servers do not verify ed25519 signatures at all, which means a valid signature may still be treated as unsigned. The checker reports the key type so you can assess compatibility with your recipient base.

Yes. The tool exposes a GET endpoint at /api/check-dkim?domain=<domain>&selector=<selector> . The response is JSON and includes fields for dkim_found , selector , dkim_record , is_valid , errors , warnings , tags , key_type , public_key_length , and has_version . This makes it straightforward to integrate DKIM validation into monitoring scripts or deployment pipelines that verify DNS records after configuration changes.

No. The v=DKIM1 tag is recommended by the specification but not strictly required. Mail receivers are expected to accept records without it. The checker reports whether the version tag is present via the has_version field, but its absence does not cause a validation failure. Including it is considered good practice because it makes the record's purpose unambiguous to anyone reading the raw DNS data.

The lookup is a read-only DNS query. The tool queries the DNS record for the domain you provide and returns the result. No personal data is submitted as part of a DKIM check since domain names are public DNS information. For full details on how Pingie handles data, see the privacy policy .

Run a check after any DNS change, email provider migration, or key rotation. It is also worth verifying after your domain's DNS is transferred to a new registrar, since zone file imports occasionally drop or corrupt TXT records. If you use multiple sending services (transactional email, marketing platforms, CRMs), check each selector separately because they are independent records that can break independently.