Free DKIM Checker
Enter any domain to scan for DKIM public keys. We check common selectors used by Google Workspace, Microsoft 365, SendGrid, Mailchimp, and others. You can also enter your own selectors to verify specific signing configurations.
Need to create a DKIM record? Use our DKIM Generator. Setting up DKIM for the first time? Read the setup guide.
What Is DKIM?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outbound email. The sending server signs the message with a private key, and the receiving server looks up the corresponding public key in DNS to verify the signature. If the signature is valid, the receiver knows the message was not tampered with in transit and that it genuinely came from the claimed domain.
A DKIM DNS record is a TXT record published at selector._domainkey.yourdomain.com, where "selector" is a label chosen by your email provider (e.g. google for Google Workspace, selector1 for Microsoft 365).
Why DKIM Matters
- Prevents tampering: DKIM proves that the email body and key headers have not been modified after the sender signed them.
- Supports DMARC alignment: DMARC can use DKIM alignment (the d= domain in the signature matching the From header) to authenticate messages, even when SPF fails due to forwarding.
- Improves deliverability: Major receivers (Google, Microsoft, Yahoo) use DKIM as a positive signal when deciding whether to deliver, spam, or reject a message.
- Required for a strong Security Grade: detected DKIM signing is one of the checks in the Security Grade Checker. Domains without visible DKIM signatures get marked down.
Common DKIM Selectors by Provider
| Provider | Selector(s) | Record Type |
|---|---|---|
| Google Workspace | TXT | |
| Microsoft 365 | selector1, selector2 | CNAME |
| SendGrid | s1, s2 | CNAME |
| Mailchimp / Mandrill | k1, mandrill | TXT |
| Amazon SES | (auto-generated) | CNAME |
| Proton Mail | protonmail, protonmail2, protonmail3 | CNAME |
This tool automatically scans all common selectors listed above and more. If your provider uses a custom selector not in the list, enter it in the custom selectors field.
What This Tool Checks
- Selector scanning: Probes common DKIM selectors used by major email providers
- Public key presence: Whether a valid DKIM TXT or CNAME record exists for each selector
- Key type: RSA or Ed25519 key algorithm
- Key size: Key length in bits (2048-bit recommended for RSA)
- SPF and DMARC context: Whether the domain also has SPF and DMARC configured
DKIM, SPF, and DMARC: The Complete Picture
DKIM is one of three email authentication protocols. SPF verifies the sending server, DKIM verifies the message integrity, and DMARC ties them together with a policy that tells receivers what to do when both fail. For full protection, you need all three.
Check all three protocols at once with our DMARC Checker, or learn how they work together in our SPF vs DKIM vs DMARC guide.
Frequently Asked Questions
What is a DKIM selector?
A DKIM selector is a label that identifies which signing key to look up in DNS. It is included in the DKIM-Signature header of every signed email (the s= tag). Each email provider uses its own selector(s), and a domain can have multiple selectors for different sending services.
Why are no DKIM selectors found for my domain?
This usually means DKIM signing has not been enabled in your email provider, the DNS records have not been published, or your provider uses a non-standard selector. Try entering your provider's specific selector in the custom field. Check our DKIM setup guide for provider-specific instructions.
Should I use RSA or Ed25519 for DKIM?
RSA with 2048-bit keys is the most widely supported option. Ed25519 offers smaller keys and faster verification, but support among receivers is not yet universal. If your provider supports Ed25519, you can publish both an RSA and Ed25519 key under different selectors for maximum compatibility.
Does DKIM affect my Security Grade?
Yes. Detected DKIM signing is a requirement for the Security Grade. Without DKIM, your domain cannot progress beyond Level 2 regardless of your DMARC policy. Check your Security Grade to see your current level.