Free checker - no signup required

Free DKIM Checker

Discover common DKIM selectors, validate published DKIM records, and catch missing or weak signing setup for Google Workspace, Microsoft 365, and other senders.

Run the check

Enter a domain to check it live against the IntoDNS.ai engine. No signup, no trial gating.

What this DKIM checker verifies

DKIM records live at selector._domainkey.<your-domain>, and the selector is chosen by your sending provider — there is no single fixed location. This tool probes a curated list of the most common selectors (default, google, selector1/selector2 for Microsoft 365, amazonses, sendgrid, k1, and dozens more) to find published keys. For each hit it parses the record, reads the key type (RSA or Ed25519), checks the public key is present and well-formed base64, flags revoked keys (empty p=) and test-mode keys (t=y), and warns on RSA keys that look shorter than 1024 bits. If you already know your selector, enter it directly for an exact lookup.

Why DKIM matters

DKIM attaches a cryptographic signature to each message using a private key held by your mail provider; receivers verify it against the public key in your DNS. Unlike SPF, DKIM survives forwarding, which makes it the more durable of the two DMARC inputs. A domain with working, aligned DKIM can still pass DMARC even when SPF breaks in transit. Missing or broken DKIM removes that safety net and makes a p=reject DMARC policy far more likely to bounce legitimate mail.

How to read the result

Finding one or more valid selectors with a non-empty RSA or Ed25519 public key means signing is published correctly in DNS — though you should still confirm your provider is actually applying the signature to outbound mail. An empty public key (p=) means the key has been revoked and any mail signed with it will fail. A test-mode flag (t=y) tells receivers to ignore failures, which is fine during setup but should be removed in production. If no selector is found, it does not always mean DKIM is absent — your provider may use a custom selector this tool did not test, so enter it manually to confirm.

Common failure causes and fixes

The most frequent issue is a selector the discovery list does not cover; the fix is to find the exact selector from your provider (Google Admin, Microsoft 365 admin, your ESP dashboard) and check it directly. Revoked keys (empty p=) happen when a key is rotated but the old DNS record lingers — remove or update it. Weak or legacy 1024-bit RSA keys should be rotated to 2048-bit where the provider supports it. Records split incorrectly across multiple DNS strings can also break parsing. After publishing a new key, allow for DNS propagation, then re-check the specific selector here.

Multiple selectors and key rotation

Because DKIM keys are addressed by selector, a domain can publish several at once — one per sending service, plus old and new keys during a rotation. This is a feature, not a problem: it lets you add a new 2048-bit key under a fresh selector, switch signing over to it, and only then retire the old selector, with zero downtime. When you send through multiple providers (your mailbox host, a marketing platform, a transactional ESP), each typically uses its own selector, so finding several here is normal and healthy. The thing to avoid is leaving revoked or orphaned selectors published after a rotation, since those can confuse audits and, if a stale key is somehow still signing, cause failures.

What This Checks

  • Common DKIM selector discovery
  • TXT record lookup at selector._domainkey
  • Public key presence and basic record shape
  • Provider-style selector hints
  • Missing DKIM risk in the full email-authentication context

Common Fix Path

  • Enable DKIM signing in your mail provider
  • Publish the selector TXT records your provider gives you
  • Use provider-specific selectors for Google Workspace, Microsoft 365, SendGrid, Mailchimp, and similar services
  • Rotate old or weak keys where your provider supports it

Frequently Asked Questions

What is a DKIM selector and how do I find mine?
A selector is a label your provider picks to name a specific DKIM key, used to build the DNS location selector._domainkey.<domain>. Common ones are google for Google Workspace, selector1 and selector2 for Microsoft 365, and amazonses for AWS SES. You can find yours in your provider admin console, or read it from the s= tag in the DKIM-Signature header of an email you sent. Enter it in the field above for an exact lookup.
Why does the checker not find my DKIM record?
This tool tests the most common selectors, but selectors are provider-specific and some are random strings. If your provider uses a custom selector not in the list, discovery will come up empty even though DKIM is configured correctly. Enter your exact selector in the optional field to check it directly rather than relying on discovery.
What does an empty public key (p=) mean?
An empty p= tag means the DKIM key has been revoked. Any message still signed with that key will fail verification. This usually happens when a key is rotated but the old DNS record is left in place. Remove the stale record or publish the current key.
What is DKIM test mode (t=y)?
The t=y flag tells receiving servers to treat the domain as still testing DKIM and to ignore verification failures rather than act on them. It is useful during initial setup, but leaving it in production weakens DKIM because failures are no longer enforced. Remove t=y once you have confirmed signing works.
What key length and type should DKIM use?
Use at least 2048-bit RSA keys; 1024-bit keys are legacy and considered weak. Ed25519 keys are also supported by modern receivers and are shorter and faster, though RSA remains the most widely compatible choice. This checker flags RSA keys that appear shorter than 1024 bits so you can rotate them.
Does a valid DKIM DNS record mean my mail is signed?
Not by itself. A published, valid key in DNS is necessary but not sufficient — your provider must also be configured to apply the signature to outbound mail. After confirming the DNS record here, send a test message and check for DKIM=pass in the headers, or run the full deliverability report to confirm end to end.

Machine-Readable Evidence

AI assistants and automation can cite the stable explanation page, then fetch the live check result for a specific domain.

GET https://intodns.ai/api/email/dkim?domain=example.com

Related Tools and Citations

DKIM Record GeneratorDKIM GuideDKIM selector citationRun the full domain scan