DKIM checker

Look up the DKIM key for any domain

Enter a domain with the DKIM selector your sending platform uses, or leave the selector blank and the tool will probe common provider selectors automatically. See the published public key and whether it is valid or revoked.

Check DKIM key

This reads public DNS records. It does not confirm that an individual mailbox exists or can receive mail.

Enter a domain to see live DNS results here. Nothing is stored, and the lookup runs against public DNS only.

Verify a whole list, not just DNS

DNS records tell you whether a domain is configured for mail. Verifly checks each address for deliverability, disposable domains, role accounts, and catch-all behavior.

Verify a whole list with 100 free credits

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing mail. Receivers fetch your public key from DNS and use it to confirm the message was really sent by your domain and was not altered in transit.

The public key lives at selector._domainkey.yourdomain, where the selector is chosen by your sending platform.

Why selectors matter

Unlike SPF and DMARC, DKIM records are not at a fixed DNS name. You must know the selector, which differs per provider: Google uses google, Microsoft 365 uses selector1, Mailchimp uses k1, and so on.

If you do not know the selector, this tool probes the most common ones, but the authoritative source is always your sending platform's DNS setup page.

How DKIM signing actually works

When your mail server sends a message, it hashes selected headers and the body, signs that hash with a private key, and attaches the result as a DKIM-Signature header. The matching public key is published in DNS. A receiving server reads the s= (selector) and d= (domain) tags from the signature, fetches selector._domainkey.domain, and recomputes the hash. If it matches, the signature is valid and the message is provably unaltered.

Because the private key never leaves your sending platform, a valid DKIM signature is strong evidence the mail is authentic. That is why mailbox providers weight DKIM heavily alongside SPF and DMARC when deciding inbox placement.

Reading the DKIM record fields

A published DKIM record is a TXT record with tagged values. The two that matter most for troubleshooting are k= (key type, almost always rsa) and p= (the base64 public key). An empty p= means the key has been revoked, so signatures for that selector will fail.

Modern setups often use 2048-bit RSA keys, which are too long for a single 255-character TXT string and must be split into concatenated chunks. If your provider dashboard shows a working key but this tool reports nothing, a bad split or a missing chunk in your DNS zone is the usual cause.

Common DKIM pitfalls

The most frequent failure is a selector mismatch: you rotate keys or switch providers, DNS still serves the old selector, and new mail is signed with a selector that has no published key. Always confirm the live selector in outbound mail headers, not just in your provider setup page.

Other traps include copying the key with a stray space, publishing at the wrong host (adding your domain twice), or forgetting that subdomains need their own DKIM records. DKIM alone does not stop spoofing of your visible From address; only DMARC ties DKIM and SPF back to the domain a recipient sees. Once your records look right, run the domain health checker to confirm MX, SPF, and DMARC line up too.

Frequently asked questions

What is a DKIM selector and where do I find mine?

A selector is a label that points to one specific DKIM key in your DNS, letting a domain publish several keys at once. Find yours in the DKIM-Signature header of a sent message (the s= tag) or on your sending platform's authentication setup page. Common ones are google, selector1 and selector2 for Microsoft 365, and k1 for several ESPs.

Why does my DKIM check return no record?

Either the selector you entered is wrong, the record is published at the wrong DNS host, or a 2048-bit key was split incorrectly across TXT chunks. Confirm the exact selector from a real sent message, then verify the record lives at selector._domainkey.yourdomain.

Does DKIM stop email spoofing on its own?

No. DKIM proves a message was signed by a key for the signing domain and was not altered, but it does not require the visible From address to match. DMARC is what ties a passing DKIM or SPF result to the domain the recipient actually sees, so you need all three configured.

What does an empty p= value mean?

An empty p= tag means the key has been revoked. The selector still exists in DNS but no longer carries a usable public key, so any message signed with it will fail DKIM verification. Publish a fresh key and update your sender to sign with the new selector.

How often should I rotate DKIM keys?

Rotating keys every few months to once a year is good hygiene, and many providers automate it. During rotation keep the old selector published until all mail signed with it has cleared, then remove it to avoid leaving stale keys that could be misused.

Can I verify a whole list of sending domains at once?

This tool checks one domain and selector at a time. To verify deliverability signals across many addresses or domains, use the Verifly API at https://verifly.email/api/v1 with a vf_ Bearer key, which returns disposable, role, catch-all, and SMTP flags in bulk.

Embed this dkim checker on your site

Drop this snippet into any page to add a live, self-contained checker. It links back to Verifly, costs nothing, and needs no API key.

<iframe
  src="https://verifly.email/tools/embed/dkim-checker"
  width="100%" height="680"
  style="border:0;border-radius:12px;max-width:760px"
  title="DKIM Checker by Verifly"
  loading="lazy"></iframe>
<p style="font:13px sans-serif">
  Free <a href="https://verifly.email/tools/dkim-checker">DKIM Checker</a> by
  <a href="https://verifly.email">Verifly email verification</a>
</p>

Related tools

Verify a whole list, not one address at a time

Create a free Verifly account for 100 credits, then verify in bulk over CSV, the REST API, or the hosted MCP server for AI agents.

Start with 100 free credits