Free Tool · No Signup Required

DKIM Record Lookup

Enter your domain and DKIM selector to verify your public key is published correctly in DNS. Confirm that receiving servers can validate your email signatures.

What is a DKIM Record?

DKIM (DomainKeys Identified Mail) is an email authentication protocol that uses public-key cryptography to verify that an email message was sent by an authorized mail server and has not been modified in transit.

When you send an email, your mail server creates a digital signature using a private key and adds it to the message headers as a DKIM-Signature header. The receiving server then looks up the corresponding public key in your domain's DNS records and uses it to verify the signature.

The DKIM public key is stored as a TXT record at selector._domainkey.yourdomain.com. The selector allows you to have multiple DKIM keys for the same domain — useful when you send email through different services (e.g., your primary email provider, a marketing platform, and a transactional email service).

DKIM is one of the three core email authentication protocols (alongside SPF and DMARC) required by Google and Yahoo for bulk senders since February 2024. Without a valid DKIM record, your emails are more likely to be flagged as spam or rejected entirely.

How to Find Your DKIM Selector

Your DKIM selector is included in every signed email your domain sends. To find it:

Open an email sent from your domain (send one to yourself if needed).
View the full email headers (in Gmail: click the three dots → "Show original").
Search for the DKIM-Signature header.
Find the s= tag — that value is your selector.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=google;
h=from:to:subject:date:message-id; ...

In this example, the selector is google. The full DNS lookup would be google._domainkey.example.com.

Common DKIM Selectors by Provider

If you are not sure which selector your provider uses, try these common defaults:

Provider	Selector(s)	Notes
Google Workspace	`google`	Default selector for Gmail / Google Workspace
Microsoft 365	`selector1, selector2`	Two selectors for automatic key rotation
Mailchimp	`k1`	Standard DKIM selector
SendGrid	`s1, s2`	Two selectors for key rotation
Amazon SES	`varies (CNAME-based)`	Uses unique auto-generated selectors per domain
Postmark	`20yymmdd (date-based)`	Date-stamped selectors for key rotation
Zoho Mail	`zmail`	Default selector for Zoho
Fastmail	`fm1, fm2, fm3`	Multiple selectors for redundancy
Brevo (Sendinblue)	`mail`	Standard DKIM selector
HubSpot	`hs1, hs2`	Two selectors used by HubSpot email

How to Read DKIM Results

A DKIM TXT record contains several tag-value pairs. Here are the key fields to understand:

v=DKIM1

Version

Identifies this as a DKIM record. Always set to DKIM1.

k=rsa

Key Type

The cryptographic algorithm used. RSA is the most common. Ed25519 is a newer, more efficient alternative.

p=MIIBIj...

Public Key

The base64-encoded public key used to verify signatures. An empty p= means the key has been revoked.

t=y

Flags

t=y means the domain is testing DKIM (receivers should treat failures leniently). t=s means strict mode — the signing domain must exactly match the From header domain.

n=...

Notes

Optional human-readable notes about the key. Not used for verification.

Frequently Asked Questions

What is a DKIM record?▼

A DKIM (DomainKeys Identified Mail) record is a DNS TXT record containing a public cryptographic key. When you send an email, your mail server signs the message with a private key. The receiving server looks up this DKIM record, retrieves the public key, and uses it to verify the signature — confirming the email is authentic and unaltered.

What is a DKIM selector?▼

A DKIM selector is a string that identifies which DKIM key to use for verification. It allows a domain to have multiple DKIM keys for different mail systems. The selector appears in the DKIM-Signature email header as the s= value, and the full DNS name is selector._domainkey.yourdomain.com.

How do I find my DKIM selector?▼

Open any email sent from your domain and view the full headers. Look for the DKIM-Signature header and find the s= tag. Common selectors include "google" for Google Workspace, "selector1" or "selector2" for Microsoft 365, and "k1" for Mailchimp.

What does an empty DKIM public key (p=) mean?▼

An empty p= tag means the DKIM key has been revoked. The record stays in DNS but without a public key value, so emails signed with this key will fail DKIM verification. This is the standard method for decommissioning a DKIM key during rotation or provider migration.

Can a domain have multiple DKIM records?▼

Yes. Each DKIM record uses a different selector, so a domain can publish as many DKIM keys as needed. This is common when sending through multiple services — each gets its own selector and key pair.

What key length should my DKIM key be?▼

DKIM keys should be at least 1024 bits, and 2048 bits is the current recommended standard. Keys shorter than 1024 bits are considered insecure. Some providers like Google Workspace default to 2048-bit keys. Longer keys are more secure but must fit within DNS TXT record size limits.

Related Tools

DKIM Record Generator

Generate a properly formatted DKIM TXT record with your public key and preferred settings.

SPF Record Lookup

Check if your domain has a valid SPF record and see all authorized sending servers.

DMARC Record Lookup

Check your DMARC policy and see how unauthenticated emails are handled.

Monitor DKIM Across All Your Domains

This free tool checks one record at a time. Superkabe monitors DKIM, SPF, and DMARC across all your sending domains automatically — every 24 hours — and alerts you before misconfigurations damage deliverability.

Start free trial