Free DKIM Checker
Verify your domain's DKIM signatures and key configuration in seconds. Check key presence, strength, selector discovery, and DMARC alignment — all in one scan.
Free, no account required. Enter any domain to get started.
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication standard defined in RFC 6376. It uses public-key cryptography to attach a digital signature to every outgoing email, allowing receiving mail servers to verify that the message was genuinely sent by the domain owner and that its contents have not been tampered with in transit.
Without DKIM, there is no reliable way for a recipient to confirm that an email claiming to come from your domain was actually authorized by you. Attackers can forge the From header and send phishing or spam that appears to originate from your organization. DKIM closes this gap by providing a cryptographic proof of authenticity and integrity.
DKIM is one of the three pillars of modern email authentication, alongside SPF and DMARC. While SPF validates the sending server's IP address, DKIM validates the message itself. Together with DMARC, which ties SPF and DKIM results to the visible From domain, they form a comprehensive defense against email spoofing and impersonation.
What this checker verifies
Our DKIM checker performs a comprehensive scan of your domain's DKIM configuration and reports issues with clear explanations.
DKIM Key Presence
Checks that a DKIM public key record exists in your DNS for known selectors. Without a published key, receiving servers cannot verify your email signatures.
Key Strength (2048-bit Minimum)
Validates that your DKIM key uses at least 2048-bit RSA. Keys shorter than 2048 bits are considered weak and can be factored by a determined attacker, undermining the entire signature.
Selector Discovery
Probes common selectors (default, google, selector1, s1, k1, and more) to find all active DKIM keys published for your domain, including third-party senders.
Alignment with DMARC
Verifies that the signing domain in your DKIM signature aligns with the From header domain as required by DMARC, ensuring your authenticated emails pass policy evaluation.
How DKIM Works
DKIM relies on a public/private key pair and DNS to let receiving servers verify your emails.
When your mail server sends an email, it uses a private key to generate a cryptographic hash of selected headers and the message body. This hash is added to the email as a DKIM-Signature header, along with metadata like the signing domain (d=) and the selector (s=).
The receiving server extracts the selector and domain from the signature, then queries DNS for the corresponding public key at selector._domainkey.yourdomain.com. Using this public key, it recalculates the hash and compares it to the one in the signature. If they match, the email passes DKIM verification — proving it was authorized by the domain owner and was not modified after signing.
Selectors allow a single domain to publish multiple DKIM keys, which is essential when using third-party email services. Each service can have its own selector and key pair, and you can rotate keys without disrupting other senders. For example, your primary mail server might use the selector default, while your marketing platform uses s1 or a service-specific selector like google.
Common DKIM Issues
These are the most frequent DKIM problems we see across thousands of domain scans. Fixing them significantly improves your email deliverability and security posture.
Weak or 1024-bit keys
Many domains still use 1024-bit DKIM keys generated years ago. These are increasingly vulnerable to brute-force attacks. Rotate to 2048-bit keys and remove the old records from DNS.
Missing third-party senders
Services like Mailchimp, SendGrid, or HubSpot send email on your behalf. If they sign with their own domain or you haven't configured DKIM for them, those messages will fail DKIM alignment checks.
Stale or orphaned keys
When you switch ESPs or decommission a service, old DKIM selectors often remain in DNS. Stale keys are a security risk because anyone with the corresponding private key can still sign email as your domain.
Broken DNS records
DKIM TXT records can be long and are sometimes split incorrectly across multiple strings. A missing quote, extra whitespace, or truncated record will cause signature verification to fail with a "no key" error.
Protect your email with DKIM
Get continuous DKIM monitoring, key rotation alerts, and complete email authentication coverage. Free plan includes 2 domains with all protocol checks.