DKIM record checker
Enter a domain and selector to confirm the DKIM public key is published. Not sure of your selector? Leave it blank and we'll try the common ones.
Leave selector blank to try 10 common selectors automatically.
We don't save the domain you check.
What DKIM does
DKIM (DomainKeys Identified Mail) lets a domain claim responsibility for outgoing messages by adding a cryptographic signature. The sending mail server signs each message with a private key; receiving servers look up the matching public key in DNS to verify the signature.
A missing or revoked DKIM record means receivers cannot verify your signatures, which weakens your reputation and reduces deliverability. This matters most under strict DMARC policies.
What is a DKIM selector and how do I find mine?
A selector is the label your mail server includes in the DKIM-Signature header (look for s=something in an outgoing message header). Each sending service you configure gets its own selector. Common ones include google, selector1, default, s1, and mail.
What does an empty p= tag mean?
An empty p= means the key has been revoked (RFC 6376 §3.5). Receivers that look up this selector will find no public key and will treat any DKIM signature using it as a failure. If you are still signing mail with this selector, publish a new key or switch to a working one.
What is t=y and when should I remove it?
The t=y flag puts DKIM into test mode. Receivers are told that DKIM failures using this selector should not affect delivery. It is intended for initial setup. Once you are confident mail is being signed and delivered correctly, remove the y flag so that DKIM failures carry full weight.
Should I use RSA or Ed25519 for DKIM?
Both are valid. RSA is supported by all receivers and is the safe choice if you need broad compatibility. Ed25519 produces shorter, faster-to-verify keys and is supported by most modern receivers. If your mail provider supports it, using both (with different selectors) is the most robust approach.