DKIM Record Checker
Enter a domain and DKIM selector to retrieve and validate the DKIM public key record. Confirm your DKIM setup is publishing correctly in DNS.
What Is a DKIM Record?
A DKIM (DomainKeys Identified Mail) record is a DNS TXT record that publishes the public half of a cryptographic key pair. Your mail server uses the private half to sign every outgoing message. Receiving mail servers use the public key published in DNS to verify that the signature is valid — confirming the message came from your domain and was not modified in transit.
DKIM records are published at a specific subdomain that combines the selector and your domain: selector._domainkey.yourdomain.com. The selector is a label that identifies which key pair is being used. Using selectors allows you to have multiple DKIM keys simultaneously — one per mail provider — and rotate keys without downtime by publishing a new selector before retiring the old one.
A typical DKIM record looks like: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC... The v=DKIM1 identifies the record version. The k=rsa specifies RSA key encryption. The p= value contains the base64-encoded public key. Some records also include t=s (strict alignment) or t=y (testing mode, which relaxes enforcement).
Finding Your DKIM Selector
The selector is set by your mail provider. Here is where to find it for common providers:
Google Workspace
The default selector is 'google'. Check Admin console → Apps → Google Workspace → Gmail → Authenticate email for your current selector.
Microsoft 365
Microsoft 365 uses 'selector1' and 'selector2' by default. Find them in Microsoft 365 Defender → Email and collaboration → Policies and rules → DKIM.
SendGrid
SendGrid uses 's1' and 's2' as default selectors. Check Settings → Sender Authentication → your domain for the current selectors.
Amazon SES
Amazon SES uses selectors that start with a unique identifier per region and account. Check your SES identity settings for the full selector value.
Frequently Asked Questions
1. What does it mean if no DKIM record is found?
If no record exists at selector._domainkey.domain, DKIM signing is either not configured for that selector, or the DNS record has not yet propagated. Check your mail provider's DKIM setup page to confirm the selector name and whether DKIM is enabled. DNS changes can take up to 48 hours to propagate globally.
2. How do I find the right DKIM selector?
Your mail provider assigns the selector. Look in your provider's admin console under DKIM settings. Common selectors include 'google' for Google Workspace, 'selector1' for Microsoft 365, 'mail' for self-hosted servers, and 's1' for SendGrid. You can also find the selector in the DKIM-Signature header of an email you sent — look for s=selectorname.
3. Can I have multiple DKIM selectors for one domain?
Yes. Each selector is a separate DNS record at a different subdomain. You can have one selector per mail provider, plus additional selectors for testing or key rotation. All are valid simultaneously. DMARC only requires at least one DKIM pass that aligns with the From domain.
4. What key length should my DKIM record use?
RSA-2048 is the current standard. Keys shorter than 1024 bits are rejected by most modern mail servers. Keys of 1024 bits are technically valid but considered weak. RSA-2048 provides strong security and is supported by all major mail providers. Ed25519 keys are smaller and equally secure but not yet universally supported.
5. My DKIM record exists but messages are still failing DKIM. Why?
Common causes include: the email body or headers were modified in transit (some mailing lists alter messages); the wrong selector is listed in the DKIM-Signature header; the private key at the mail server does not match the public key in DNS; or the record was recently changed and the old key is cached. Use the Email Header Analyzer to see the exact DKIM signature and which domain and selector it references.
6. What is DKIM testing mode (t=y)?
The t=y flag in a DKIM record means the domain is in testing mode. Receiving servers should not penalize DKIM failures from this domain — they treat it the same as no DKIM record. Remove this flag once DKIM is working correctly in production to allow full enforcement.
探索更多功能
探索 BillionVerify 的所有強大功能
Verify email addresses to protect your sender score
DKIM is one pillar of email authentication. A clean email list is another. BillionVerify removes invalid and risky addresses before they damage your reputation.
100 free verifications daily · 99.9% SMTP accuracy · Instant API access · No credit card required