DKIM Record Checker
Look up your DKIM record and verify key strength. Check selectors, detect stale or weak keys, and validate your DKIM configuration.
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication protocol defined in RFC 6376. It uses public-key cryptography to digitally sign outgoing emails, allowing receiving servers to verify that the message was authorized by the domain owner and hasn't been modified in transit.
The sending server adds a cryptographic signature to each email's headers using a private key. The corresponding public key is published as a DNS TXT record at selector._domainkey.yourdomain.com. When a receiving server gets the email, it retrieves the public key from DNS and verifies the signature.
Unlike SPF (which validates the sending server's IP), DKIM validates the message content itself. This means DKIM survives email forwarding, which SPF often does not.
Security risks & attack vectors
Weak 1024-bit keys
Many domains still use 1024-bit RSA keys, which are increasingly vulnerable. Upgrade to 2048-bit keys for adequate protection against modern threats.
Keys lost after DNS migration
You migrated DNS providers last year. Your DKIM key didn't follow. Receiving servers have been silently marking your email as unverified ever since.
No key rotation
The same DKIM key has been in use for 3 years. If it's ever compromised, attackers can forge perfectly authenticated emails from your domain.
The set-and-forget trap
DKIM keys are configured once during email setup and then never checked again. But keys can disappear during DNS migrations, expire after provider changes, or remain at weak 1024-bit strength while the rest of the industry moves to 2048-bit.
Third-party services like marketing tools and CRMs publish their own DKIM keys on your behalf using specific selectors. If any of these services change their signing configuration, your DKIM can break without warning.
Monitor all your DKIM selectors across providers. Join the Sendvery beta to know the moment a key expires or disappears.
Frequently asked questions
DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email was authorized by the domain owner and hasn't been tampered with in transit. It publishes a public key in DNS for receivers to verify.
A selector is a string used to look up the DKIM public key in DNS. The full query is selector._domainkey.domain.com. Different email services use different selectors (e.g., google for Google Workspace, selector1 for Microsoft 365).
1024-bit RSA keys are the minimum viable length and increasingly vulnerable. 2048-bit RSA is recommended by all major email providers and security standards. Consider Ed25519 for even stronger, more efficient signing.
Rotate DKIM keys at least every 12 months. Use a new selector for each rotation so the transition is seamless. Immediately rotate if you suspect a key has been compromised.
Want ongoing monitoring?
Checking once is a start. But email authentication breaks silently over time. Get alerted the moment something changes.
Free plan includes 1 domain. No credit card required.