Email authentication
DKIM Record Checker & Validator
Look up the selector._domainkey TXT record for any domain and validate DKIM tags, key type and key length.
What does the DKIM validator check?
- Enter the DKIM selector (for example google, default or k1) and the domain. The tool queries the {selector}._domainkey.{domain} TXT record from public DNS.
- The record is parsed tag by tag: v=DKIM1 version, k= key type, p= public key, h= hash algorithms, s= service types and t= flags, plus the decoded key length.
- Read the verdict and warnings: a missing record, an empty p= tag (revoked key), a weak 1024-bit key or a t=y testing flag each get a clear explanation.
DKIM tags to review
The validator focuses on the DNS half of DKIM: the published public key record. It confirms the record exists, parses every tag and flags weak or revoked keys — it does not sign or receive mail on your behalf.
| Tag | Why it matters | Example |
|---|---|---|
| v=DKIM1 | Record version tag that must open a valid DKIM record | v=DKIM1 |
| k / p | Key type and Base64 public key used to verify signatures | k=rsa; p=MIIBIjANBg… |
| Key length | RSA modulus size — 1024-bit keys are considered weak today | 2048 bit |
| t=y | Testing flag: receivers treat signatures as if the domain were unsigned | t=y |
When to check a DKIM record
Run a check right after adding or changing the DNS record for a mail provider. Google Workspace usually uses the google selector, Microsoft 365 uses selector1 and selector2, Amazon SES issues three random CNAME selectors, Mailchimp uses k1 (and k2/k3), and SendGrid commonly uses s1 and s2.
Check DKIM when messages land in spam or DMARC reports show dkim=fail. A missing or malformed record is one of the most common root causes.
Verify both selectors during key rotation: providers publish a new key on a second selector before retiring the old one, and both must resolve while old signatures are still in transit.
Fixing missing or invalid DKIM records
If no record is found, confirm the exact selector spelling and that the TXT (or CNAME) record lives at selector._domainkey.yourdomain.com — a very common mistake is publishing it at the apex or doubling the domain in the host field.
If the record is found but invalid, look at the parsed tags: a missing v=DKIM1, a truncated p= value (DNS providers often split long keys into multiple quoted strings) or stray whitespace will break verification.
An empty p= tag means the key was deliberately revoked. A t=y flag means the domain is still in testing mode — receivers verify the signature but do not enforce it, so remove the flag once the rollout is confirmed.
DKIM selectors, keys and rotation
DKIM lets a sending server sign each message with a private key; receivers fetch the matching public key from DNS using the selector named in the DKIM-Signature header (the s= tag). Selectors allow one domain to publish many keys at once.
Key length matters: 1024-bit RSA keys are still accepted but considered weak, and most providers now issue 2048-bit keys. Some DNS panels need the longer Base64 string split into two quoted chunks.
Rotate keys by publishing a new key under a new selector, switching signing to it, and only then removing or revoking the old record. Checking each selector individually confirms every step of the rotation.
Email authentication workflow
- Confirm MX and SPF records with the DNS Checker.
- Validate each DKIM selector your providers sign with.
- Check the _dmarc TXT record and its policy.
- Re-check after any provider migration or key rotation.
DKIM validator vs dig and mail headers
You can query the record with dig TXT selector._domainkey.example.com, but you still have to parse the tags and decode the key length yourself. The validator does that automatically and explains each finding.
Reading Authentication-Results headers on a received message shows whether one specific message passed. The validator answers the earlier question: is the published record itself present and valid?
Full deliverability suites test seed inboxes and reputation. This tool covers the DNS foundation that everything else depends on — fast, free and scriptable via the API.
Why use the DN01 DKIM Validator
- Selector-aware lookup that parses every DKIM tag and reports key type and key length, not just raw TXT output.
- Clear warnings for revoked keys (empty p=), testing mode (t=y) and weak 1024-bit keys.
- Fits the existing DN01 workflow next to DNS, SPF/TXT and blacklist checks, with localized UI in 8 languages.
FAQ
DKIM validator FAQ
Selectors, DNS TXT records, key length and what testing or revoked flags mean.
What is a DKIM selector?
The selector is the label named in the s= tag of a message's DKIM-Signature header. Receivers combine it with your domain to query the selector._domainkey.yourdomain.com TXT record, so one domain can publish several signing keys at once.
How do I find my DKIM selector?
Open a message you sent and look at the DKIM-Signature header: the s= tag is the selector. Common defaults are google for Google Workspace, selector1/selector2 for Microsoft 365, k1 for Mailchimp and s1/s2 for SendGrid. You can also confirm the TXT record exists with DNS Checker.
Why is my DKIM record invalid?
Frequent causes are a missing v=DKIM1 tag, a truncated p= value after a DNS panel split the long key incorrectly, stray quotes or whitespace, or the record being published at the wrong hostname. The validator parses each tag and points at the exact problem.
What does t=y mean in a DKIM record?
It is the testing flag: receivers verify the signature but treat failures as if the message were unsigned. It is fine during rollout, but remove it once your DMARC reports show DKIM passing consistently.
Should I use a 1024-bit or 2048-bit DKIM key?
Use 2048-bit. 1024-bit RSA keys are still verified but considered weak, and major providers now issue 2048-bit keys by default. If your DNS panel rejects the longer value, split the Base64 string into two quoted chunks.
Can a domain have multiple DKIM selectors?
Yes, and it usually should. Each mail provider signs with its own selector, and key rotation relies on publishing a new key under a fresh selector before the old one is revoked. Validate each selector separately to confirm the full rotation.
Tool switcher
Continue with another check
Pick the next step in your domain or security workflow.
- DNS CheckerAll major record types in one passOpen
- DIGOne record type, resolver-style answerOpen
- WHOISRegistrar, expiry and domain statusOpen
- Domain IP LookupA and AAAA IP addresses for a domainOpen
- Blacklist CheckerDNSBL reputation for IP and domainOpen
- SSL Certificate CheckerCertificate chain, SAN and TLS versionOpen
- HTTP/2 TesterHTTP/2 support, ALPN and TLS negotiationOpen
- HTTP Header CheckerResponse headers, redirects and cachingOpen
- Punycode ConverterUnicode ↔ Punycode for IDN domainsOpen
- IP CalculatorSubnet math for IPv4 and IPv6 CIDROpen
- BIN CheckerCard brand, bank and country from BIN/IINOpen
- Base64 CodecEncode and decode Base64 textOpen
- Password GeneratorStrong random passwords for ops workOpen
- Passphrase GeneratorMemorable random word phrases for safer sharing testsOpen
Related articles
Practical guides for common DKIM Validator tasks — DNS records, troubleshooting steps, and links to our free tools.
DKIM selector, what is DKIM selector, selector._domainkey
DKIM Selector Explained: How selector._domainkey Works
What a DKIM selector is, where it appears in DNS, and why mail providers use different selectors for signing keys.
Read article →find DKIM selector, DKIM selector lookup, Google Workspace DKIM selector
How to Find Your DKIM Selector
Practical places to find DKIM selectors in Google Workspace, Microsoft 365, Amazon SES, Mailchimp, SendGrid and email headers.
Read article →DKIM p tag, DKIM public key, DKIM TXT p=
DKIM p= Tag: Public Key Checks That Matter
How to read the DKIM p= public key tag, why empty p= revokes a key, and what truncated DNS TXT records look like.
Read article →DKIM 1024 vs 2048, DKIM key length, weak DKIM key
DKIM 1024 vs 2048 Bit Keys: What to Use
Why 2048-bit DKIM keys are preferred, when 1024-bit keys still appear, and how key length affects DNS TXT records.
Read article →DKIM t=y, DKIM testing mode, DKIM flags
DKIM t=y Testing Mode: When to Remove It
What the DKIM t=y flag means, why it is useful during rollout, and why it should not stay forever.
Read article →rotate DKIM keys, DKIM key rotation, multiple DKIM selectors
How to Rotate DKIM Keys Safely
A safe workflow for publishing a new selector, switching signing, waiting out TTL, and retiring the old DKIM key.
Read article →Google Workspace DKIM, google DKIM selector, Gmail DKIM record
Google Workspace DKIM Check: Selector and TXT Record
How Google Workspace DKIM records are named, what the google selector means, and how to troubleshoot missing or invalid records.
Read article →Microsoft 365 DKIM selector1 selector2, Office 365 DKIM, M365 DKIM CNAME
Microsoft 365 DKIM: selector1 and selector2 Explained
Why Microsoft 365 uses selector1 and selector2, how CNAME-based DKIM publishing works, and what to check when validation fails.
Read article →