Back to blog

How to Check a DKIM Record (and Why It Fails)

DKIM signs your mail so receivers can prove it was not tampered with. Here is how to find your selector, read the public key, and diagnose a DKIM that is not validating.

MA
MailCull · Field notes
June 18, 2026 · 2 min read
deliverability
On this page · 4 sections

DKIM is the authentication record people find hardest to check, because unlike SPF it is not at a fixed location. You need to know one extra piece of information first: the selector.

What DKIM does

DKIM (DomainKeys Identified Mail) puts a cryptographic signature in the header of every message you send. The receiving server fetches your public key from DNS and uses it to confirm two things: that the mail really came from your domain, and that it was not altered in transit. A valid DKIM signature is one of the strongest trust signals you can send.

The public key lives at a special DNS name built from a selector:

<selector>._domainkey.acme.com

The selector is just a label your mail provider chooses, like google, s1, k1, or a date string. Google Workspace uses google; other providers vary. You cannot check DKIM without knowing it, which is why a DKIM lookup always asks for the selector.

Reading the record

A DKIM TXT record looks like this, trimmed:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...
  • v=DKIM1 marks the version.
  • k=rsa is the key type.
  • p= is the public key itself. An empty p= means the key was revoked, which is a common cause of sudden DKIM failures.

Why DKIM fails

  • Wrong or missing selector. If the selector in your mail headers does not match a published record, there is nothing for the receiver to fetch.
  • Revoked key (p= empty). The record exists but the key was cleared, often during a provider migration.
  • The key was rotated and the old selector is still being used by some sending path.
  • A truncated key because the long p= value was split incorrectly across DNS strings.

DKIM proving a message is authentic is what lets DMARC enforce a policy. If DKIM is failing, DMARC cannot do its job.

How to check it

Looking this up by hand means knowing the selector, querying dig <selector>._domainkey.acme.com TXT, and decoding the key fields yourself.

The free DKIM checker takes a domain and a selector, fetches the record, and tells you whether a valid public key is published, flagging a revoked or malformed key. It shows you the raw record so you can confirm what receivers see. It does not save the domain you check.

DKIM is one of three records that work together. Pair it with the SPF checker and the DMARC checker, or read the full SPF, DKIM, and DMARC setup guide.

Try it

Start with 500 free validation credits. No credit card.

Both Free and Pro run the same scan engine — full SMTP probe, MX lookup, typo, disposable, domain checks, and the evidence chain on every verdict. The difference is the monthly credit pool (Free=500, Pro=100,000) plus Pro's API and MCP access.

Start verifying free Upload a CSV →
← Previous

How to Clean Your Email List in Klaviyo
Next →

How to Check Your SPF Record (and Fix Common Errors)
Found a mistake? Email [email protected]. Tags · deliverability · dns · dkim · authentication