UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

DKIM Record Checker

Fetch a DKIM TXT record at <selector>._domainkey.<domain>, parse the public key tags, infer key length, and warn about short keys, revoked keys, or testing flags.

About DKIM Record Checker

The DKIM Record Checker fetches the TXT record at <selector>._domainkey.<domain> (RFC 6376), where DKIM publishes its public key. You provide the domain plus the selector your platform uses (Google Workspace uses google; SendGrid uses s1/s2; Mailchimp uses k1). The tool decodes the base64 public key in the p= tag, infers its RSA key length, and warns when the key is shorter than the 2048-bit minimum recommended by RFC 8301. It also flags revoked selectors (empty p=) and testing mode (t=y), where receivers may treat failures as benign rather than enforcing. Because DKIM is the only one of SPF, DKIM, and DMARC that survives mail forwarding intact, a correct DKIM key is essential for newsletters, group lists, and any high-volume sender. Use this to confirm a new selector is live, debug failed signatures after a DNS change, and verify vendors aren't publishing 1024-bit keys.

Why use DKIM Record Checker

  • Resolves the correct <selector>._domainkey.<domain> path automatically.
  • Parses every DKIM tag — v, k, p, t, s, h, n — and explains what each does.
  • Infers RSA key length from the base64 public key and warns when it falls below RFC 8301 minimums.
  • Flags revoked selectors (empty p=) and testing flags (t=y) that downgrade enforcement.
  • Runs as a single TXT lookup — fast, cheap, and zero-data-leakage.
  • Pairs with our SPF and DMARC checkers for the full email-auth audit.

How to use DKIM Record Checker

  1. Enter the apex domain — for example, example.com.
  2. Enter the selector your sending platform uses — common ones include google, k1, s1, selector1, mte.
  3. Click Check DKIM to fetch the TXT at <selector>._domainkey.<domain>.
  4. Review the parsed tag table (v, k, p, t, s, h) and the inferred key length.
  5. If the inferred RSA key length is below 2048 bits, ask your sending platform to rotate to a stronger key.
  6. Cross-check that DMARC is alignment-compatible with the d= tag your platform signs with.

When to use DKIM Record Checker

  • After provisioning a new email sending platform that publishes its own DKIM selector.
  • When DMARC reports show DKIM failures and you need to confirm the published key matches what's signing.
  • While rotating from a 1024-bit legacy key to a 2048-bit modern key.
  • When migrating between selectors to verify both old and new are reachable during the transition.
  • When a vendor's DKIM signature stops verifying suddenly — often a DNS sync issue at the publishing zone.
  • On any new domain to confirm DKIM is live before tightening DMARC to p=quarantine or p=reject.

Examples

Google Workspace default selector

Input: example.com / google

Output: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAA... → 2048-bit RSA, healthy

Revoked legacy selector

Input: example.com / mailchimp-old

Output: v=DKIM1; k=rsa; p= → empty public key, selector revoked

Testing mode flag still set

Input: staging.example.com / s1

Output: v=DKIM1; t=y; k=rsa; p=... → t=y testing flag is active, failures won't enforce

Tips

  • Don't guess the selector — pull it from the DKIM-Signature header of a real outbound message (s= field).
  • Most ESPs use predictable selector names; google for Workspace, k1 for Mailchimp, s1 for SendGrid, selector1 for Microsoft 365.
  • If p= is empty, the selector is revoked — rotate to a new selector and update DNS at the same time.
  • The t=y flag means receivers may treat failures as testing rather than enforcing — remove it once you trust the key.
  • If your platform supports it, publish two selectors and rotate keys without an outage by switching d= signing in the platform first.

Frequently Asked Questions

Is the queried record forwarded to a third party?
No. The TXT lookup runs from our backend against public DNS. Nothing is logged, stored, or shared.
Where do I find my DKIM selector?
It's in the s= tag of the DKIM-Signature header on a real outbound message. You can also find it documented in your sending platform's setup guide — Google Workspace uses google, SendGrid uses s1/s2, Mailchimp uses k1.
How does this compare to mxtoolbox or dnschecker?
It returns the same DNS data for free, with no signup, and adds an inferred-key-length warning. We don't yet validate a real signature against the record — that's a future addition.
Why is the inferred key length not exact?
We decode the SubjectPublicKeyInfo base64 and infer length from byte ranges. It's accurate to the nearest standard size (1024/2048/3072/4096) but does not parse the ASN.1 — for a precise check, run openssl rsa on the decoded key.
What does a 1024-bit warning mean for me?
RFC 8301 deprecated 1024-bit DKIM keys in 2018. Modern receivers may treat short keys as a soft signal of weak deliverability, and crypto guidance recommends 2048 or higher. Rotate at your sending platform's admin panel.
Can this detect a misconfigured DKIM signature?
It checks the published key. It does not verify a real signature on a captured email — for that, paste the message into the Email Header Analyzer.
What does t=y mean in the output?
Testing mode. Receivers may treat DKIM failures as benign rather than enforcing them. It's safe during rollout but should be removed once the deployment is verified.
What does the s= tag (service type) mean?
An optional restriction on which protocols can use the key — usually * (any) or email. Most domains leave it blank or set to *.

Explore the category

SPF Record Checker Look up and parse a domain's SPF DNS record. Validates mechanisms, counts DNS lookups against the RFC 7208 ten-lookup limit, and flags soft/hard fail qualifiers. DMARC Record Checker Look up the DMARC TXT record at _dmarc.<domain>, parse every tag (p, sp, pct, rua, ruf, adkim, aspf), and flag missing aggregate report addresses or partial enforcement. Email Header Analyzer Summarize Received chains and auth hints from pasted headers. MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. DNS Propagation Checker Check DNS propagation across multiple global nameservers to see how widely a recent DNS change has spread. DNSSEC Checker Look up DS, DNSKEY, and RRSIG records for a domain to confirm DNSSEC is enabled and inspect the chain-of-trust artifacts.
JSON Schema Explained: Validate Your APIs Like a Pro JSON Schema gives you contract-driven validation for any JSON payload. We walk through the spec, the keywords that matter, and how it powers May 2026 · 9 min

Glossary

DKIM
DomainKeys Identified Mail — RFC 6376 — a public-key signature scheme that proves a message was authorized by the domain in the d= tag.
DKIM selector
A short label that, combined with _domainkey.<domain>, identifies which key signed a message. Published in the s= tag of the DKIM-Signature header.
_domainkey
The fixed DNS subdomain under which all DKIM selectors live, per RFC 6376. The full record path is <selector>._domainkey.<domain>.
RSA key length
The bit length of the RSA public key. RFC 8301 deprecated 1024-bit keys; 2048 bits is the modern minimum, with 4096 used for high-value domains.
p= tag
The base64-encoded public key. An empty p= is a revocation marker — the selector is no longer active.
Testing flag (t=y)
A DKIM tag that signals receivers that this selector is in test mode and failures should not be enforced. Remove once you trust the deployment.