Skip to content

Free DKIM Checker - Find & Validate DKIM Selectors

Don't know your DKIM selector? No problem. Our tool auto-discovers selectors, validates key length (1024 vs 2048-bit), and provides rotation recommendations. Works with Google, Microsoft 365, and all providers.

Try common selectors:

Takes ~10 seconds

No login required for preview No emails stored GDPR-friendly

What This Tool Checks

Selector Discovery

Auto-probes common DKIM selectors

Key Length

Checks 1024-bit vs 2048-bit keys

Record Validity

Validates DKIM record syntax

Provider Detection

Identifies email service providers

How to Fix Common Issues

No DKIM Selectors Found

Configure DKIM in your email provider and add the TXT record to DNS:

selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=..."

1024-bit Key (Weak)

Upgrade to 2048-bit key for better security. Generate a new key pair and update DNS.

Key Rotation Needed

Create a new selector with fresh keys. Keep old selector active for 48-72 hours during transition.

How It Works

1

Enter Your Domain

Type your domain name without http:// or www

2

We Probe Selectors

Our tool checks 20+ common DKIM selectors

3

Get Instant Results

See found selectors, key lengths, and recommendations

Frequently Asked Questions

What is a DKIM selector?

A DKIM selector is a name that identifies which DKIM key to use for signing. It's part of the DNS record name: selector._domainkey.domain.com. Common selectors include 'google', 'default', 'k1', 's1', and date-based names like '2024-01'.

Is 1024-bit DKIM key length enough?

While 1024-bit keys are still accepted, 2048-bit keys are recommended for better security. Most modern email providers support 2048-bit keys. Consider upgrading during your next key rotation.

How often should I rotate DKIM keys?

Rotate DKIM keys every 6-12 months for optimal security. During rotation, keep the old key active for 48-72 hours to ensure emails in transit can still be verified.

Can I have multiple DKIM selectors?

Yes, you can have multiple DKIM selectors per domain. This is useful for different email services, key rotation, or redundancy. Each selector points to a different public key.

What if my DKIM selector lookup fails?

If a DKIM selector lookup fails, the key might not exist, DNS propagation might be incomplete, or there could be DNS configuration issues. Check your DNS provider settings and verify the selector name.

Understanding DKIM: The Complete Guide

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorized sender and hasn't been modified in transit. Unlike SPF which validates the sending server, DKIM validates the message itself.

How DKIM Works

DKIM uses public-key cryptography:

  1. Key generation - You generate a public/private key pair
  2. DNS publication - The public key is published in DNS as a TXT record
  3. Message signing - Your mail server signs outgoing emails with the private key
  4. Verification - Receiving servers fetch your public key from DNS and verify the signature

If the signature verifies, the receiver knows the email is authentic and unmodified.

DKIM Selectors Explained

A DKIM selector is a name that identifies a specific DKIM key. The full DNS lookup is: selector._domainkey.yourdomain.com

Common selectors include:

  • google - Google Workspace
  • selector1, selector2 - Microsoft 365
  • k1, k2, k3 - Mailchimp
  • default - Many email services
  • s1, s2 - Amazon SES

You can have multiple selectors per domain, which is useful for different email services or key rotation.

DKIM Key Length: 1024-bit vs 2048-bit

DKIM keys come in different sizes:

  • 1024-bit - Minimum acceptable, but considered weak by modern standards
  • 2048-bit - Recommended standard, provides strong security
  • 4096-bit - Maximum security, but may cause DNS issues due to record size

Always use 2048-bit keys for new implementations. Some DNS providers have trouble with 4096-bit keys due to TXT record size limits.

DKIM Record Anatomy

A DKIM record contains several tags:

  • v=DKIM1 - Version (required)
  • k=rsa - Key type (rsa is standard)
  • p=... - Public key in base64 (required)
  • t=s - Testing mode flag (optional)
  • t=y - Domain is testing DKIM (optional)

DKIM Key Rotation Best Practices

Regular key rotation improves security:

  1. Generate new key - Create a new key pair with a new selector name
  2. Publish new key - Add the new public key to DNS
  3. Wait for propagation - Allow 24-48 hours for DNS propagation
  4. Switch signing - Configure your mail server to use the new key
  5. Keep old key - Leave the old key active for 48-72 hours for emails in transit
  6. Remove old key - Delete the old DNS record after the transition period

Rotate keys every 6-12 months, or immediately if you suspect key compromise.

Why DKIM Matters for Deliverability

  • Authentication - Proves emails genuinely come from your domain
  • Integrity - Ensures message content hasn't been tampered with
  • Reputation - Builds sender reputation with email providers
  • DMARC requirement - DKIM alignment is often easier to achieve than SPF alignment
  • Forwarding resilience - Unlike SPF, DKIM survives email forwarding

Common DKIM Issues

  • Missing selector - The DKIM record doesn't exist in DNS
  • Invalid signature - Message was modified after signing (often by mailing lists)
  • Key mismatch - Private and public keys don't match
  • DNS propagation - New keys not yet visible to all DNS servers
  • Body hash mismatch - Email content changed after signing

Related Email Security Tools

DMARC Checker

Validate DMARC policy and reporting

SPF Checker

Validate SPF records and DNS lookups

BIMI Checker

Validate BIMI logo and VMC setup

Monitor Your DKIM Keys Daily

Get alerts when DKIM keys expire, rotate, or have issues.

Start Free Monitoring