Free DNS & email authentication diagnostics — and the fix.

DKIM Lookup

Look up a domain's DKIM public-key record, parse every tag, and see provider-specific setup steps.

?
A DKIM selector is a short label your mail provider chooses to identify which DKIM key to use — for example google, selector1 or k1. The full DNS record sits at <selector>._domainkey.<yourdomain>. Leave this field blank and we'll probe the common selectors automatically.

Leave the selector blank to probe ~20 common selectors (Google, Microsoft 365, Mailgun, SendGrid, Fastmail, Proton, etc.) in parallel.

DKIM setup — provider walkthrough

DKIM keys are generated by your mail provider, not built from a form. Pick yours below for step-by-step setup.

What is DKIM?

DKIM (DomainKeys Identified Mail) is a way of cryptographically signing outgoing email so that receivers can verify the message really came from your domain and wasn't modified in transit.

Your mail provider holds a private key and signs every outgoing message with it. They publish the corresponding public key in your DNS as a TXT record at <selector>._domainkey.<yourdomain>. Receivers fetch that public key, verify the signature in the message headers, and decide whether the message is authentic.

What this tool checks

  • Whether DKIM records exist at common selectors (or a selector you specify)
  • The full record contents and a breakdown of every tag
  • Approximate RSA key size (1024-bit keys are below current best practice)
  • Hash algorithms allowed (SHA-1 is deprecated; SHA-256 is the standard)
  • Test-mode flag and revoked-key indicators
  • Whether the public key parses as a valid base64-encoded key

What's a selector?

A selector is an arbitrary label your mail provider chooses to identify a specific DKIM key. It lets a provider have multiple keys active at once (for rotation) and lets you have different keys for different services. The full DNS record name is <selector>._domainkey.<yourdomain>.

Common selectors by provider:

  • Google Workspace: google
  • Microsoft 365: selector1 and selector2 (CNAME records, not TXT)
  • Fastmail: fm1, fm2, fm3
  • Proton Mail: protonmail, protonmail2, protonmail3
  • Zoho: typically zoho or a custom name
  • Mailchimp: k1, k2
  • Mailgun: a custom selector you set (often mailo)
  • SendGrid: s1, s2

Common DKIM problems

Revoked key (empty p=)

If the p= tag is empty, the selector is explicitly marked as revoked. Any signature using this selector will be treated as invalid. This usually happens when a provider rotates keys but the old selector record isn't removed.

1024-bit RSA keys

1024-bit keys were the original DKIM default but are now below current best practice. Major providers have moved to 2048-bit. Some receivers (including Gmail) actively log warnings for 1024-bit DKIM. Most providers let you regenerate with 2048-bit from their admin UI.

SHA-1 in h=

SHA-1 is cryptographically broken and deprecated for DKIM. If your record advertises h=sha1, change it to h=sha256 (or remove the h= tag entirely so the default kicks in).

Test mode (t=y)

The t=y flag tells receivers "this is in test mode — don't treat DKIM failures as real failures." Remove it once you're confident DKIM is working. Leaving it in production undermines DMARC enforcement.

Frequently Asked Questions

How do I find my selector if I don't already know it?

Check your mail provider's admin UI under "Email authentication" or "DKIM" — they'll show the host name they want you to publish, which contains the selector. Alternatively, send yourself a test message and look at the DKIM-Signature header — the s= field is the selector.

Can I have multiple DKIM records?

Yes — that's the whole point of selectors. Each selector is its own TXT record at a unique name, so you can have a Google selector, a Mailgun selector, and a SendGrid selector all signing mail for the same domain at once.

Why are Microsoft 365 records CNAMEs and not TXT?

Microsoft hosts the actual DKIM key for you and uses CNAME records to point your domain's selector1._domainkey and selector2._domainkey at their infrastructure. This lets Microsoft rotate keys behind the scenes without you having to update DNS.

How long does it take for DKIM to start working?

After publishing the DNS record, DKIM usually starts being signed and verifying within an hour (subject to your DNS TTL). Some providers (Amazon SES, Microsoft 365) have an additional step in the admin UI to enable DKIM after detecting the records — make sure that's done.

Do I need DKIM if I already have SPF?

Yes. SPF authenticates the connecting server's IP; DKIM authenticates the message content via signature. They cover different attack surfaces — SPF doesn't survive forwarding, DKIM does. DMARC requires at least one of them to pass with domain alignment, but real-world deliverability is best with both.

Can I rotate my DKIM keys?

Yes, and you should periodically. Most providers let you generate a new key under a new selector, leave both active for a transition period, then revoke the old one (set its p= to empty). NIST recommends rotating at least once a year.

Want the full picture? Run a complete Domain Check →