Skip to content
D1
EN

Email authentication

DKIM Record Checker & Validator

Look up the selector._domainkey TXT record for any domain and validate DKIM tags, key type and key length.

This form calls the relative endpoint: /site-api/tools/dkim

What does the DKIM validator check?

  1. Enter the DKIM selector (for example google, default or k1) and the domain. The tool queries the {selector}._domainkey.{domain} TXT record from public DNS.
  2. The record is parsed tag by tag: v=DKIM1 version, k= key type, p= public key, h= hash algorithms, s= service types and t= flags, plus the decoded key length.
  3. Read the verdict and warnings: a missing record, an empty p= tag (revoked key), a weak 1024-bit key or a t=y testing flag each get a clear explanation.

DKIM tags to review

The validator focuses on the DNS half of DKIM: the published public key record. It confirms the record exists, parses every tag and flags weak or revoked keys — it does not sign or receive mail on your behalf.

TagWhy it mattersExample
v=DKIM1Record version tag that must open a valid DKIM recordv=DKIM1
k / pKey type and Base64 public key used to verify signaturesk=rsa; p=MIIBIjANBg…
Key lengthRSA modulus size — 1024-bit keys are considered weak today2048 bit
t=yTesting flag: receivers treat signatures as if the domain were unsignedt=y

When to check a DKIM record

Run a check right after adding or changing the DNS record for a mail provider. Google Workspace usually uses the google selector, Microsoft 365 uses selector1 and selector2, Amazon SES issues three random CNAME selectors, Mailchimp uses k1 (and k2/k3), and SendGrid commonly uses s1 and s2.

Check DKIM when messages land in spam or DMARC reports show dkim=fail. A missing or malformed record is one of the most common root causes.

Verify both selectors during key rotation: providers publish a new key on a second selector before retiring the old one, and both must resolve while old signatures are still in transit.

Fixing missing or invalid DKIM records

If no record is found, confirm the exact selector spelling and that the TXT (or CNAME) record lives at selector._domainkey.yourdomain.com — a very common mistake is publishing it at the apex or doubling the domain in the host field.

If the record is found but invalid, look at the parsed tags: a missing v=DKIM1, a truncated p= value (DNS providers often split long keys into multiple quoted strings) or stray whitespace will break verification.

An empty p= tag means the key was deliberately revoked. A t=y flag means the domain is still in testing mode — receivers verify the signature but do not enforce it, so remove the flag once the rollout is confirmed.

DKIM selectors, keys and rotation

DKIM lets a sending server sign each message with a private key; receivers fetch the matching public key from DNS using the selector named in the DKIM-Signature header (the s= tag). Selectors allow one domain to publish many keys at once.

Key length matters: 1024-bit RSA keys are still accepted but considered weak, and most providers now issue 2048-bit keys. Some DNS panels need the longer Base64 string split into two quoted chunks.

Rotate keys by publishing a new key under a new selector, switching signing to it, and only then removing or revoking the old record. Checking each selector individually confirms every step of the rotation.

Email authentication workflow

  1. Confirm MX and SPF records with the DNS Checker.
  2. Validate each DKIM selector your providers sign with.
  3. Check the _dmarc TXT record and its policy.
  4. Re-check after any provider migration or key rotation.

DKIM validator vs dig and mail headers

You can query the record with dig TXT selector._domainkey.example.com, but you still have to parse the tags and decode the key length yourself. The validator does that automatically and explains each finding.

Reading Authentication-Results headers on a received message shows whether one specific message passed. The validator answers the earlier question: is the published record itself present and valid?

Full deliverability suites test seed inboxes and reputation. This tool covers the DNS foundation that everything else depends on — fast, free and scriptable via the API.

Why use the DN01 DKIM Validator

  • Selector-aware lookup that parses every DKIM tag and reports key type and key length, not just raw TXT output.
  • Clear warnings for revoked keys (empty p=), testing mode (t=y) and weak 1024-bit keys.
  • Fits the existing DN01 workflow next to DNS, SPF/TXT and blacklist checks, with localized UI in 8 languages.

FAQ

DKIM validator FAQ

Selectors, DNS TXT records, key length and what testing or revoked flags mean.

What is a DKIM selector?

The selector is the label named in the s= tag of a message's DKIM-Signature header. Receivers combine it with your domain to query the selector._domainkey.yourdomain.com TXT record, so one domain can publish several signing keys at once.

How do I find my DKIM selector?

Open a message you sent and look at the DKIM-Signature header: the s= tag is the selector. Common defaults are google for Google Workspace, selector1/selector2 for Microsoft 365, k1 for Mailchimp and s1/s2 for SendGrid. You can also confirm the TXT record exists with DNS Checker.

Why is my DKIM record invalid?

Frequent causes are a missing v=DKIM1 tag, a truncated p= value after a DNS panel split the long key incorrectly, stray quotes or whitespace, or the record being published at the wrong hostname. The validator parses each tag and points at the exact problem.

What does t=y mean in a DKIM record?

It is the testing flag: receivers verify the signature but treat failures as if the message were unsigned. It is fine during rollout, but remove it once your DMARC reports show DKIM passing consistently.

Should I use a 1024-bit or 2048-bit DKIM key?

Use 2048-bit. 1024-bit RSA keys are still verified but considered weak, and major providers now issue 2048-bit keys by default. If your DNS panel rejects the longer value, split the Base64 string into two quoted chunks.

Can a domain have multiple DKIM selectors?

Yes, and it usually should. Each mail provider signs with its own selector, and key rotation relies on publishing a new key under a fresh selector before the old one is revoked. Validate each selector separately to confirm the full rotation.

Tool switcher

Pick the next step in your domain or security workflow.

Full tool catalog

Guides

Practical guides for common DKIM Validator tasks — DNS records, troubleshooting steps, and links to our free tools.

Back to DKIM Validator