Deliverability Score

Free tool · No signup

Free DKIM record checker

Find your DKIM keys across common selectors and check that they're configured to sign your outgoing email.

Results in 5 seconds · 100% free

Primer

What is DKIM?

DKIM stands for DomainKeys Identified Mail, a cryptographic signature added to every email you send. The sending server signs the message with a private key; the receiving server fetches the matching public key from DNS, verifies the signature, and proves two things in one step — the email wasn't tampered with in transit, and it actually came from a server authorized to sign for your domain.

DKIM keys are stored in DNS at {selector}._domainkey.yourdomain.com. The selector is chosen by whoever generates the key — your ESP, your transactional provider, your Workspace admin — and it lets a single domain host many keys simultaneously. One domain can have a dozen DKIM records, one per sending service, and they don't conflict because each lives at a unique host.

Modern DKIM keys should be 2048-bit RSA. 1024-bit keys still work for now but are flagged as weak by Gmail and other major receivers, and most ESPs have already defaulted to 2048-bit for new setups. Rotating an old key to a new selector is usually a one-click operation in your ESP's UI, and rotation is a good idea once a year — long-lived keys are a security risk if they're ever leaked.

Different ESPs use their own selector conventions: Google uses google; Klaviyo uses klaviyo1 and klaviyo2; SendGrid uses s1 and s2; Mailchimp uses k1 and k2; Postmark uses dynamic selectors per account. When you set up a new sender, the ESP gives you a CNAME or TXT record to publish — that delegation is what lets the ESP sign as you while keeping their private key under their control.

Anatomy

How to read your DKIM record

A DKIM record is short by design — just a version, key type, and the public key itself. Here's what each tag does.

Example record

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
v=DKIM1

Version tag. Optional but recommended — when present, it must be the first tag in the record.

k=rsa

Key type. RSA is the standard. ed25519 is supported by some receivers but RSA is still the universal default.

p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

The public key, base64-encoded. This is the long string receivers use to verify message signatures. If p= is empty, the key has been revoked.

Common pitfalls

Common DKIM mistakes

ESP signing with the wrong domain

If you send through Klaviyo but Klaviyo's DKIM signs as send.yourdomain.com instead of yourdomain.com, DMARC alignment can break. Configure your ESP's branded sender setup so DKIM signs with your own domain, not theirs.

Old 1024-bit keys

Many older setups still use 1024-bit RSA, which Gmail and others now flag as weak. Rotate to 2048-bit keys, generated through your ESP's UI rather than reusing a key you copy-pasted from somewhere else.

Selector typos in DNS

DKIM records live at {selector}._domainkey.yourdomain.com, and a typo in the selector means lookups fail silently — your messages get signed but no one can verify them. Always test by looking up the record at the exact host your ESP gave you.

Keys never rotated

DKIM keys should be rotated periodically. A key that's been signing for years is a security liability — if it's leaked, an attacker can sign mail as you indefinitely. Most ESPs let you generate new selectors without downtime.

Missing DKIM on a new sending platform

Adding a new ESP — Postmark for transactional, a new CRM, a new vendor — without setting up DKIM means every send from that platform fails authentication. Always set up SPF, DKIM and DMARC alignment at the same time as you connect a new sender.

The full picture

Want the full picture?

DKIM is one of six checks in our complete deliverability audit. See your SPF, DKIM, DMARC, BIMI, blacklists and tracking domain all at once.

Run free audit

FAQ

Frequently asked questions

What's a DKIM selector?
A selector is a label that identifies which DKIM key a message was signed with. It lets a single domain host multiple keys — one per sender, one per service. Selectors appear in the DNS lookup path: a key at google._domainkey.yourdomain.com uses the selector 'google'. Each ESP picks its own selectors (Google uses google, Klaviyo uses klaviyo1/klaviyo2, SendGrid uses s1/s2).
How do I find my DKIM record?
DKIM lives at {selector}._domainkey.{yourdomain}, but the selector depends on which ESP signed the message. The easiest way is to send yourself a test email, view full headers, and look for the d= and s= values in the DKIM-Signature header — those give you the domain and selector to look up. Or use this checker, which probes common selectors automatically.
What does it mean when DKIM 'fails'?
It usually means one of three things: the receiver couldn't find a key at the selector listed in the message, the key was found but the cryptographic signature didn't match (the message was altered in transit or the key was wrong), or the key has been revoked (p= is empty). The most common cause in practice is a forwarded email — DKIM signatures don't always survive forwarding through mailing lists.
Should I use a 1024-bit or 2048-bit DKIM key?
Use 2048-bit. 1024-bit keys still technically work but are now flagged as weak by Gmail and several other receivers. 2048-bit is the modern standard for any new setup, and most ESPs default to it. Rotating an old 1024-bit key to 2048-bit is usually a one-click operation in your ESP's UI.
Can I have multiple DKIM records?
Yes — and you usually should. A domain can publish many DKIM keys, one per selector, and each sending service uses its own. You'll often have several active selectors at once: one for Google Workspace, one for Klaviyo, one for your transactional ESP, and so on. They don't conflict because each lives at a unique host.
Does DKIM work with email forwarding?
DKIM survives most forwarding because the signature is over the message body and key headers, not the envelope. However, mailing lists and forwarders that modify the subject line or body (adding [LIST] prefixes, footers, etc.) break DKIM signatures. This is one reason DMARC requires either SPF or DKIM to pass — they fail in different scenarios.
How often should I rotate my DKIM keys?
At least once a year is the common recommendation, though many large senders rotate every 6 months. Most ESPs make rotation easy: you generate a new selector, both keys are active during the transition, and the old one is retired. Don't skip rotation — long-lived keys are a security risk if they ever leak.
What's the difference between DKIM signing domain and From domain?
The signing domain (the d= tag in the DKIM-Signature header) is whichever domain owns the private key that signed the message. The From: domain is what shows up in the recipient's inbox. For DMARC to pass, these need to align — either an exact match (strict) or share an organizational domain (relaxed). When an ESP signs with their own domain instead of yours, DKIM passes but DMARC alignment fails.

Related tools

Keep auditing

SPF checker

Validate SPF and count DNS lookups.

DMARC checker

Parse your DMARC policy and reporting.

Blacklist check

Scan against major DNSBL providers.