DKIM Check

Check DKIM public keys for any domain + selector. We query ._domainkey. automatically across 14 DNS resolvers.

What is DKIM?

DKIM (DomainKeys Identified Mail) is the middle leg of email authentication. The sending mail server signs outgoing messages with a private key; the matching public key is published in DNS. Receivers verify the signature against the published key.

DKIM keys live at <selector>._domainkey.<your domain> as TXT records. You need both the domain and the selector to look one up. Use the two fields above: we'll assemble the query for you.

Finding the selector

Each mail provider uses its own selector. Common ones:

• Google Workspace: google (the default, configurable)
• Microsoft 365: selector1 and selector2
• Mailchimp: k1
• SendGrid: typically s1, s2, or a custom one set in the dashboard
• Mailgun: mg or a domain-specific selector
• Amazon SES: random-looking strings like abc123def456._domainkey

If you don't know the selector, inspect a real message from the provider: the DKIM-Signature header includes s=<selector>.

Anatomy of a DKIM record

A typical DKIM TXT looks like: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB.... The tags:

• v=DKIM1: version marker.
• k=: key type (rsa by default; ed25519 for newer keys).
• p=: the public key itself, base64-encoded.
• s=: service type (optional; email is standard).

Common errors and pitfalls

• Wrong selector: most common cause of "no record found." Each provider uses different selectors; a Google-only selector won't exist on a Mailchimp-only domain.
• Key too long for a single TXT chunk: RSA keys often exceed 255 characters, so they're split across multiple quoted strings. WhereIsDNS reassembles them on display.
• Key revoked (p= empty): a DKIM record with no key value is a deliberate "this selector is retired" signal. Mail signed with it will fail.
• Wrong record type: DKIM is published as TXT. Some old documentation references type 16 specifically: same thing.

FAQ

Can a domain have multiple DKIM keys?

Yes: one per selector. A domain that sends through Google Workspace + Mailchimp + a custom server can have three DKIM records at three different selector names.

How often should DKIM keys be rotated?

Annual rotation is the conservative recommendation, especially for long-lived RSA keys. Many providers automate this; check whether yours does.

Why does my DKIM-Signature say "fail" but the record exists?

Usually a key mismatch (you re-generated the key but didn't update DNS) or message-body modification (a mailing list footer was appended, breaking the body hash). Compare the p= in DNS to what the sending server actually has.

Background reading

See the DKIM glossary entry, plus SPF and DMARC. The DNS Records Explained guide ties them together.