Free DKIM Record Lookup Tool — Verify Your Email Signatures Are Valid
9 min read · Updated April 2026
DKIM proves that every email you send is authentic and unaltered. If your DKIM key is missing, expired, or misconfigured, your emails lose their cryptographic seal of trust. Use our free DKIM lookup tool to verify your domain's signatures in seconds.
Key Takeaways
- ▸ DKIM adds a cryptographic signature to every outgoing email, proving authenticity
- ▸ You need both a domain name and a selector to look up a DKIM record
- ▸ Use 2048-bit RSA keys — 1024-bit keys are considered weak
- ▸ Each email provider uses its own selector (Google: "google", Microsoft: "selector1")
- ▸ Missing DKIM keys weaken your entire authentication stack, even if SPF passes
Table of Contents
- What Is DKIM and How Do Email Signatures Work?
- How to Find Your DKIM Selector
- How to Use the Free DKIM Lookup Tool
- Common DKIM Problems and How to Fix Them
- Provider-Specific DKIM Selectors
- How DKIM Fits Into the Authentication Stack
- DKIM Lookup vs DKIM Generator: When to Use Each
- Frequently Asked Questions
DKIM (DomainKeys Identified Mail) is the cryptographic layer of email authentication. While SPF verifies that an email came from an authorized server, DKIM proves that the email itself was authorized by the domain owner and was not tampered with during transit. For outbound email teams, a missing or broken DKIM record means your emails lack a critical trust signal that ISPs use for inbox placement decisions.
What Is DKIM and How Do Email Signatures Work?
DKIM uses public-key cryptography to authenticate email messages. When you send an email, your mail server signs specific headers and the message body using a private key. This generates a unique cryptographic signature that is added to the email as a DKIM-Signature header.
The receiving server then looks up your DKIM public key in DNS — at a location determined by the selector and domain in the signature header — and uses that key to verify the signature. If the signature validates, the receiving server knows two things: the email was authorized by the domain owner, and the message content was not modified after signing.
# DKIM-Signature header in an email
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yourdomain.com; s=google;
h=from:to:subject:date:message-id;
bh=base64encodedBodyHash;
b=base64encodedSignature
The d= tag specifies the signing domain, and the s= tag specifies the selector. Together, they tell the receiving server to look up the public key at selector._domainkey.domain.com. This is the exact record our DKIM lookup tool queries.
How to Find Your DKIM Selector
Unlike SPF and DMARC, DKIM records are not published at a fixed location. You need to know the selector to find the record. Here are three ways to find your DKIM selector:
Method 1: Check Your Email Headers
Send a test email from your domain, then view the full headers (in Gmail: click the three dots → "Show original"). Look for the DKIM-Signature header and find the s= tag. The value after s= is your selector.
Method 2: Check Your Email Provider's Admin Console
Most email providers display the DKIM selector in their admin settings. In Google Admin Console, navigate to Apps → Google Workspace → Gmail → Authenticate email. For Microsoft 365, check the Exchange admin center under Mail flow → DKIM.
Method 3: Try Common Selectors
If you cannot access headers or admin settings, try the common selectors for your provider using our DKIM lookup tool. See the provider-specific selectors table below.
How to Use the Free DKIM Lookup Tool
Our free DKIM lookup tool queries your domain's DNS to find and validate your DKIM public key. Here's how to use it:
- Enter your domain — Type the domain you want to check (e.g.,
yourdomain.com). - Enter your DKIM selector — Type the selector used by your email provider (e.g.,
googlefor Google Workspace). - Run the lookup — The tool queries the TXT record at
selector._domainkey.yourdomain.com. - Review the results — The tool displays the full DKIM record, key type, key length, and any issues detected.
If your DKIM record is missing or needs to be created, use the DKIM Generator tool to create a properly formatted record.
Common DKIM Problems and How to Fix Them
Problem 1: Missing DKIM Key
The most common DKIM issue is simply not having a public key published in DNS. This happens when you set up a domain but skip the DKIM configuration step, or when you migrate DNS providers and the DKIM TXT record is not transferred. Without the public key in DNS, every DKIM signature on your emails will fail verification.
Fix: Generate a DKIM key pair through your email provider's admin console. Publish the public key as a TXT record in DNS at selector._domainkey.yourdomain.com. Verify it is published correctly using the DKIM lookup tool.
Problem 2: Key Too Short (1024-bit)
While 1024-bit RSA keys are technically still valid, they are considered cryptographically weak. Google recommends 2048-bit keys, and some security-conscious organizations may penalize emails signed with shorter keys. If your DKIM lookup shows a 1024-bit key, you should plan a key rotation.
Fix: Generate a new 2048-bit DKIM key pair through your email provider. Publish the new public key in DNS alongside the old one (using a new selector). Update your mail server to sign with the new key. After confirming all emails use the new signature, remove the old key.
Problem 3: Wrong Selector
If the selector in the email's DKIM-Signature header does not match a published DKIM record in DNS, verification fails. This happens when teams publish the key under the wrong selector name, or when an email provider changes selectors and the DNS record is not updated.
Fix: Check the DKIM-Signature header in a test email to confirm the exact selector being used. Then verify that a DKIM TXT record exists at that exact selector._domainkey.yourdomain.com location.
Problem 4: DNS Record Truncation
DKIM public keys, especially 2048-bit keys, can be long enough that some DNS providers truncate the TXT record. A truncated key will fail verification because the public key data is incomplete. This is particularly common with older DNS management interfaces.
Fix: Split the DKIM key into multiple strings within a single TXT record (most DNS providers support this). Verify the full key is published by using the DKIM lookup tool.
Provider-Specific DKIM Selectors
Each email provider uses different default DKIM selectors. When using the DKIM lookup tool, try these common selectors for your provider:
| Provider | Common Selectors | Notes |
|---|---|---|
| Google Workspace | google | Default selector; custom prefix possible via Admin Console |
| Microsoft 365 | selector1, selector2 | Two selectors for key rotation; both should be published |
| SendGrid | s1, s2 | Uses CNAME records pointing to SendGrid's DKIM keys |
| Mailgun | smtp, k1 | Varies by setup; check Mailgun domain settings |
| Postmark | 20yymmdd | Date-based selectors; check Postmark sender signatures |
| Smartlead | Provider-specific | Check Smartlead domain configuration for exact selector |
How DKIM Fits Into the Authentication Stack
DKIM is the second layer of the three-part email authentication system. While SPF verifies the sending server's IP address, DKIM verifies the email content itself. DMARC then ties both together with a policy that tells receivers what to do when authentication fails.
DKIM is particularly valuable for outbound email because it provides per-message authentication. SPF only validates the sending IP, which means any email from that IP passes regardless of content. DKIM, by contrast, cryptographically binds each individual email to the signing domain. This makes it significantly harder for attackers to spoof your domain and provides a stronger trust signal to ISPs.
For DMARC alignment to pass, either SPF or DKIM must align with the From header domain. In practice, having both pass gives you the strongest authentication posture. For a full walkthrough of how all three protocols work together, see our SPF, DKIM & DMARC setup guide.
DKIM Lookup vs DKIM Generator: When to Use Each
Superkabe offers two free DKIM tools for different use cases:
DKIM Lookup Tool
Use the DKIM Lookup tool when you need to:
- ● Verify that your DKIM public key is published in DNS
- ● Check the key length and algorithm of your existing DKIM key
- ● Diagnose why DKIM authentication is failing on your emails
- ● Confirm that a newly published DKIM record has propagated
DKIM Generator Tool
Use the DKIM Generator tool when you need to:
- ● Generate a new DKIM key pair for a domain
- ● Create a properly formatted DKIM TXT record for DNS
- ● Rotate from a 1024-bit key to a 2048-bit key
Frequently Asked Questions
What is a DKIM selector and how do I find mine?
A DKIM selector is a prefix used to locate your DKIM public key in DNS. The full lookup is selector._domainkey.yourdomain.com. Each provider uses different selectors: Google Workspace uses "google", Microsoft 365 uses "selector1" and "selector2", and SendGrid uses "s1" and "s2". You can find your selector by examining the DKIM-Signature header in any email sent from your domain.
What happens if my DKIM record is missing?
If your DKIM record is missing from DNS, receiving servers cannot verify the cryptographic signatures on your emails. DKIM authentication will fail for every email. While emails may still deliver if SPF passes, the lack of DKIM weakens your overall authentication posture and can negatively impact your sender reputation.
What is the recommended DKIM key length?
The recommended DKIM key length is 2048 bits. While 1024-bit keys are still accepted, they are considered weak by modern standards. Google recommends 2048-bit keys and some receivers may penalize shorter key lengths. If you are using a 1024-bit key, plan a rotation to 2048-bit.
Can I have multiple DKIM records for the same domain?
Yes. Unlike SPF (which must have exactly one record), you can have multiple DKIM records by using different selectors. Each email provider typically uses its own selector, so Google Workspace, Smartlead, and SendGrid can each have their own DKIM key on the same domain without conflict.
How do I check DKIM for emails sent through Google Workspace?
For Google Workspace, the default DKIM selector is "google". Use the DKIM lookup tool with your domain and the selector "google" to check if your DKIM key is published. If you generated a custom key in the Google Admin Console, you may have chosen a different prefix — check your admin settings to confirm.
How often should I rotate my DKIM keys?
DKIM key rotation is recommended every 6 to 12 months for security best practices. The more critical concern for outbound teams is ensuring the key exists and is valid. If you are using a 1024-bit key, rotate to 2048-bit immediately. Superkabe monitors DKIM key presence and validity continuously.
Stop Checking DKIM Manually
The free DKIM lookup tool is useful for spot checks, but outbound teams running multiple domains need continuous monitoring. Superkabe automatically validates DKIM keys across all your sending domains and selectors, alerts you when keys are missing or expiring, and prevents authentication failures before they impact deliverability.
See how Superkabe protects your infrastructure →How Superkabe prevents this problem
Superkabe continuously monitors DKIM records across all your sending domains, tracking key presence, key length, and selector validity. When a DKIM key goes missing, uses a weak key length, or a selector mismatch is detected, Superkabe flags the issue before it causes authentication failures at scale.