Maillead

Tools

Explore our collection of email marketing tools.

Free DKIM Record Checker — Verify DomainKeys Identified Mail

Use this free DKIM checker to instantly verify your domain's DKIM record, public key, and selector. DomainKeys Identified Mail adds a cryptographic signature to every email you send, proving to inbox providers that your messages are authentic and unaltered in transit.

Check DKIM Record

Enter a domain to check its DKIM (DomainKeys Identified Mail) configuration

How to Use This DKIM Checker

Verifying your DKIM configuration takes only a few seconds. Follow these steps to confirm your domain is properly signing outgoing emails and that receiving servers can validate those signatures.

Whether you are setting up DKIM for the first time or auditing an existing configuration, this guide will help you interpret the results and take corrective action. Proper DKIM setup is one of the most effective ways to improve your email deliverability and protect your domain reputation.

  1. 1

    Enter Your Domain Name

    Type your root domain into the input field above. Do not include "https://" or "www" — just the domain itself (for example, maillead.io).

  2. 2

    Run the DKIM Lookup

    Click the Check DKIM button to query public DNS servers. The tool automatically tries common selectors (default, google, mail) to find your DKIM TXT record.

  3. 3

    Review the Parsed Record

    Examine the parsed results to see your DKIM selector, the full TXT record, the key type (typically RSA), and the public key used to verify email signatures.

  4. 4

    Fix Any Issues Found

    If the checker reports a missing record, invalid public key, or weak key length, use the guidance provided to update your DNS TXT record. Changes typically propagate within minutes to a few hours.

  5. 5

    Re-Check and Monitor Regularly

    After updating your DNS, run the checker again to confirm the changes took effect. Bookmark this page and return periodically to monitor your DKIM configuration.

What Is DKIM?

DKIM email authentication signature verification process
DKIM uses cryptographic signatures to verify email authenticity

DKIM, which stands for DomainKeys Identified Mail, is an email authentication method that adds a digital signature to every outgoing message. This signature is generated using a private key held by the sender and verified by the receiving server using a corresponding public key published in the sender's DNS. When DKIM is properly configured, it guarantees that the email content has not been tampered with during transit and that it genuinely originated from the claimed domain.

The DKIM signature is embedded in the email header as a Base64-encoded string. It covers critical parts of the message such as the body and selected header fields. The receiving mail server extracts this signature, retrieves the public key from DNS using the selector and domain name, and performs a cryptographic validation. If the signature checks out, the email passes DKIM authentication. If not, the email may be treated with suspicion depending on the domain's DMARC policy.

A DKIM record is published as a DNS TXT record at a subdomain like selector._domainkey.yourdomain.com. The record contains the version tag (v=DKIM1), the key type (k=rsa), and the public key itself (p=...). The selector is a string chosen by the domain administrator that allows multiple keys to coexist for the same domain. Rotating selectors is a common practice when updating keys, because it allows a smooth transition without downtime.

Unlike SPF, which validates the sending IP address, DKIM validates the message content and identity independently of the server that transmitted it. This makes DKIM especially valuable for emails that are forwarded by intermediaries, a scenario where SPF often breaks. Because the signature travels with the message, forwarding servers can preserve DKIM validity as long as they do not alter signed headers or the body.

Setting up DKIM is straightforward for most modern email platforms. Services like Google Workspace, Microsoft 365, Amazon SES, and Mailgun provide step-by-step wizards that generate the key pair and tell you exactly what DNS record to publish. Once configured, DKIM signing happens automatically on every outgoing message, requiring no ongoing manual effort from your team.

Why DKIM Matters

Email security with DKIM SPF and DMARC authentication
DKIM, SPF, and DMARC work together to protect your email reputation

DKIM is essential for any sender who cares about deliverability. Major inbox providers including Gmail, Yahoo, and Microsoft use DKIM as a key signal when deciding whether to place an email in the inbox, spam folder, or reject it entirely. Without DKIM, your emails are far more likely to be flagged as suspicious, especially when combined with a missing or weak DMARC policy. For cold emailers and marketers, this can mean the difference between a successful campaign and one that never reaches its audience.

Beyond deliverability, DKIM protects your brand and your recipients from tampering and spoofing. Because the signature is cryptographically bound to the message content, attackers cannot modify an email in transit without invalidating the signature. This integrity check is critical for transactional emails, password resets, invoices, and any message where trust is paramount.

DKIM also works hand in hand with DMARC. DMARC alignment requires that the domain in the DKIM signature (the d= tag) matches the domain in the From header. Without DKIM, a domain cannot achieve DMARC alignment through the DKIM path, leaving it dependent solely on SPF. That dependency is risky because SPF breaks during forwarding and does not protect message integrity. A robust email authentication strategy always includes both SPF and DKIM, backed by a well-configured DMARC policy.

For businesses sending high volumes of email, DKIM is also a prerequisite for advanced deliverability programs and feedback loops offered by major mailbox providers. Providers are more likely to grant favorable sending limits, whitelisting, and detailed reporting to domains with properly configured DKIM and DMARC. In competitive inboxes, these small technical advantages compound into meaningful improvements in open rates and conversions.

Common DKIM Mistakes to Avoid

Avoiding these common pitfalls will save you hours of troubleshooting and protect your sender reputation from unnecessary damage.

One of the most common mistakes is publishing a DKIM record with a broken or truncated public key. DNS providers sometimes impose character limits on TXT records, and long 2048-bit keys can exceed those limits if pasted as a single string. If your key is cut off, receiving servers will be unable to verify signatures and your emails will fail DKIM. Always verify the complete key is present using this checker after publishing.

Another frequent error is using a selector that does not match the one configured in your email-sending service. Your mail server or ESP signs emails with a specific selector, and the receiving server looks up that exact selector in DNS. If you publish your key under default but your ESP uses s1, DKIM will fail every time. Always confirm the selector with your provider and publish the record at the correct subdomain.

Many senders also forget to include the v=DKIM1 version tag or use incorrect syntax around the key. While some receivers are lenient, strict parsers may reject records that deviate from the standard. Stick to the canonical format: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY. Avoid extra semicolons, missing spaces, or non-standard tags unless you know your receiver supports them.

Leaving an old or revoked key in DNS is another pitfall. When you rotate keys, publish the new record under a fresh selector and update your sending infrastructure to use it. Only remove the old selector after you have confirmed the transition is successful. Removing it too early can cause legitimate emails to bounce if they were queued with the old selector.

Finally, do not assume that DKIM alone is enough. Some organizations publish a DKIM record but never configure their mail server to actually sign outgoing messages. The record in DNS is useless if no signature is attached to the emails. Test by sending a message to yourself and inspecting the headers to confirm a DKIM-Signature field is present.

Related Tools

Explore these complementary tools to build a complete picture of your email infrastructure and deliverability health. Each tool is designed to help you diagnose, fix, and monitor a specific aspect of your email authentication setup.

DMARC Record Checker

Verify your DMARC policy, reporting settings, and alignment configuration to prevent email spoofing.

SPF Record Checker

Verify your SPF record syntax and see which mail servers are authorized to send email on behalf of your domain.

Email Header Analyzer

Paste email headers to inspect SPF, DKIM, and DMARC results for any message you have received.

Email Deliverability Guide

A comprehensive resource covering authentication, list hygiene, content best practices, and sender reputation.

Email Spam Checker

Analyze your email copy and structure against common spam filters before hitting send.

Deliverability Guide

Learn how to run effective outreach campaigns while staying compliant and maintaining strong deliverability.

DKIM Best Practices

Use a 2048-bit RSA key as your default and rotate it at least once per year. Key rotation limits the damage if a private key is ever compromised. When rotating, introduce the new key under a fresh selector, update your sending infrastructure, and monitor delivery metrics before retiring the old selector. Keep a changelog of every selector and key so your team can troubleshoot issues quickly.

Coordinate with every team and service that sends email on behalf of your domain. Marketing platforms, CRMs, support desks, and internal mail relays may all need their own DKIM keys or selectors. Document every authorized sending source in a central inventory. This visibility is invaluable when you need to audit your DNS or investigate authentication failures.

Monitor your DMARC aggregate reports for DKIM alignment failures. These reports reveal which emails are failing DKIM and why, often surfacing misconfigured third-party services or unauthorized senders you did not know about. Review reports weekly during onboarding and monthly once your configuration is stable.

Test every DNS change with this DKIM checker before considering it complete. DNS propagation can be unpredictable, and a small typo can invalidate your entire record. Send test emails to multiple providers and inspect headers to confirm signatures validate. Consistent testing prevents surprises and protects your sender reputation.

Frequently Asked Questions

Below are answers to the most common questions we receive about DKIM, its configuration, and its impact on email deliverability.

What is DKIM and how does it protect my emails?

DKIM (DomainKeys Identified Mail) is an email authentication standard that uses public-key cryptography to sign outgoing messages. The receiving server verifies this signature against the public key published in your DNS. If the signature is valid, the recipient knows the email genuinely came from your domain and was not altered in transit. This prevents spoofing and improves deliverability.

What is a DKIM selector and why does it matter?

A DKIM selector is a string that points to a specific DKIM key record in your DNS. It is part of the DNS query used to find the public key (selector._domainkey.yourdomain.com). Selectors allow you to publish multiple keys, rotate keys smoothly, and distinguish between keys used by different email services. Common selectors include default, google, and mail.

How do I add or update a DKIM record for my domain?

You add a DKIM record by creating a TXT record in your DNS settings through your domain registrar or DNS hosting provider. The record name should be something like default._domainkey.yourdomain.com and the value should start with v=DKIM1; followed by the key type and public key. Most email providers generate this record for you automatically. DNS changes typically propagate within a few minutes but can take up to 48 hours.

What key length should my DKIM key use?

We recommend using a 2048-bit RSA key for DKIM. Keys shorter than 2048 bits are considered weak and may be rejected by some receiving servers. While 1024-bit keys are still supported by many providers, they offer less protection against brute-force attacks. If your current key is 1024 bits, plan to rotate to a 2048-bit key and update your DNS record accordingly.

Why does my DKIM fail when emails are forwarded?

DKIM can survive forwarding as long as the forwarding server does not modify any of the signed parts of the message, such as the body or signed headers. However, some forwarding services add footers, change subject lines, or rewrite headers, which invalidates the DKIM signature. This is one reason why having both DKIM and SPF is important, and why DMARC alignment through either mechanism is sufficient for DMARC to pass.

How often should I rotate my DKIM keys?

We recommend rotating DKIM keys at least once per year, or immediately if you suspect a private key has been compromised. Key rotation is simple when you use a new selector: publish the new public key under the fresh selector, update your sending systems to sign with it, and monitor for any issues before removing the old selector. Regular rotation limits the window of exposure if a key is ever leaked.