Free DKIM Lookup

Look up any domain's DKIM public key record by selector and validate your signature setup

Email Tester Inbox Placement Tester
DKIM Record Checker
Look up your domain's DKIM record for a particular selector to identify possible issues and fix them.
Domain:
Selector:
Built with by Henry Timmes · Named contributor to RFC 7489 (DMARC)

Understanding DKIM Records

DKIM adds a cryptographic signature to every outgoing email, giving receiving servers a way to verify the message came from you and was not modified in transit.

How DKIM Signatures Work

Your mail server signs outgoing messages with a private key, producing a hash stored in the DKIM-Signature header. Receiving servers retrieve your public key from DNS and verify that hash. A match confirms the message is authentic and unaltered.

DKIM Selectors Explained

A selector is a label that points to a specific public key in your DNS, published at selector._domainkey.yourdomain.com. Selectors let you run multiple DKIM keys simultaneously - useful when rotating keys or using multiple sending services. Find yours in the s= tag of any outbound email header.

Key Length and Rotation

Use a minimum of 2048-bit RSA keys - 1024-bit is considered weak and rejected by some receivers. Rotate keys every 6-12 months by publishing a new selector, switching your mail server to sign with the new private key, confirming it passes, then removing the old DNS record.

How to Look Up and Verify Your DKIM Record

  1. Find your DKIM selector by sending a test email and viewing raw headers - look for the s= value in the DKIM-Signature header
  2. Enter your domain and selector in the DKIM Lookup tool above and click Check DKIM
  3. Confirm the record is present and that the p= field contains a valid base64 public key
  4. Check that the key length is at least 2048 bits - many tools will display this alongside the record
  5. Send a test message through your Email Tester to confirm the DKIM signature passes end-to-end
Tip: DKIM alone does not prevent spoofing of the visible From address. Pair it with SPF and DMARC to get full alignment-based protection. Use the DMARC Lookup tool to check whether your domain has a policy in place.

DKIM: Digitally Signing Your Emails for Security

DKIM (DomainKeys Identified Mail) works alongside SPF as a critical email authentication protocol. While SPF verifies the sending IP address, DKIM uses cryptography to confirm the email truly originated from the claimed domain and was not modified by anyone along the way.


When a DKIM-enabled mail server sends a message, it attaches a digital signature to the email header. This signature is created using a private key held by the sender, while the corresponding public key is published as a TXT record in the domain's DNS. Receiving servers retrieve that public key to verify the signature on every incoming message.


If the signature verification succeeds, it confirms the email came from an authorized source and arrived intact. This significantly reduces the risk of spoofing and phishing, where attackers impersonate legitimate senders to deceive recipients.


Once you have it set up, it's time to test it with our very own Email Tester.

DKIM Lookup

DKIM Tag Specification Explained

TAG MEANING
v This tag specifies the DKIM version being used. Currently the most common value is v=DKIM1.
a This tag identifies the cryptographic algorithm used to generate the digital signature. A common value is rsa-sha256.
d This tag indicates the domain name used with the selector to locate the sender's public key in DNS.
k This tag specifies the cryptographic algorithm used to generate the signature - defining how the signature was created and is verified. If missing, the value defaults to rsa.
s This tag specifies the selector record name used to find the public key. It is essentially a subdomain label created by the sender for DKIM purposes.
c This tag specifies the canonicalization method applied to the headers and body before signing. Common values are relaxed/relaxed and simple/simple.
h This tag lists the email header fields included in the signature calculation. Headers not listed here are not protected by DKIM.
t This tag specifies flags that modify DKIM behavior. Valid values include y for testing mode and s for strict subdomain handling, or ys / sy for both.

Frequently Asked Questions

DKIM (DomainKeys Identified Mail) is an email authentication protocol that adds a cryptographic signature to outgoing messages. Receiving servers verify this signature against a public key published in your DNS, confirming the email came from an authorized sender and was not altered in transit. DKIM is one of the three pillars of email authentication alongside SPF and DMARC, and is required for DMARC alignment.

When your mail server sends a message, it uses a private key to generate a hash of selected headers and the message body, then adds this as a DKIM-Signature header. The receiving server looks up your public key in DNS at the location defined by the selector and domain (selector._domainkey.yourdomain.com), and uses it to verify the signature. If the signature matches, the message is confirmed authentic and unmodified.

A DKIM selector is a label that points to a specific public key in your DNS. It appears in the DKIM-Signature header of any outgoing email as the s= tag. To find yours, send a test email to yourself and view the raw message headers - look for the DKIM-Signature header and note the s= value. Common selectors include google, selector1, k1, smtp, and mail, but your ESP or mail server may use any custom value.

A DKIM TXT record is published at selector._domainkey.yourdomain.com and typically contains:
  • v=DKIM1: Version - always required and always first.
  • k=rsa: Key type. RSA is standard; Ed25519 is a newer alternative.
  • p=: The base64-encoded public key. If this value is empty, the key has been revoked.
  • h=: Optional. Restricts which hash algorithms are acceptable.
  • t=: Optional flags. y indicates testing mode; s means the signature does not apply to subdomains.

  • Signature verification failure: The public key in DNS does not match the private key used to sign. Re-check that the correct key pair is in use, and confirm the DNS record has fully propagated.
  • Body hash mismatch: Something modified the message after it was signed - a common cause is an ESP or gateway appending a footer. Signing should happen as the last step before delivery.
  • Selector not found: The s= value in the email header does not match any TXT record in DNS. Verify the record name is exactly selector._domainkey.yourdomain.com.
  • Key too short: 1024-bit RSA keys are considered weak. Upgrade to a 2048-bit key and publish it under a new selector.

Most security best practices recommend rotating DKIM keys every 6 to 12 months, or immediately after a suspected key compromise. Safe rotation steps:
  1. Generate a new RSA key pair (2048-bit minimum).
  2. Publish the new public key in DNS under a different selector name.
  3. Wait for DNS propagation (up to 48 hours).
  4. Update your mail server to sign outgoing messages with the new private key.
  5. Confirm new signatures are passing using this lookup tool or your Email Tester.
  6. Remove the old DNS selector record only after confirming the new key is working.

Are You Ready To Experience The Difference?

CC Logo

Become a part of the Campaign Cleaner community today, and join countless satisfied customers who have witnessed significant improvements in their email deliverability and campaign success. Don't let HTML issues hold you back; let Campaign Cleaner optimize your campaigns and boost your inbox rates.

Let's Get Started