What Is a DKIM Record?
A DKIM record (DomainKeys Identified Mail) is a DNS TXT record that contains a public cryptographic key used to verify email signatures. When an email is sent, the sending server creates a digital signature using a private key, which is added to the email headers. The receiving server performs a DKIM check by querying DNS for the corresponding public key and verifying the signature, ensuring the message was not altered in transit and genuinely originated from the claimed domain.
Our free DKIM checker goes beyond basic DKIM lookup. It automatically scans 65+ common selectors (google, default, selector1, selector2, dkim, s1, s2, k1, and more) to find your DKIM record. It then parses every tag, evaluates key type (RSA or Ed25519), checks key size strength, detects testing mode, and runs 10 validation checks to give you a comprehensive DKIM health score. Whether you're setting up a new email service, rotating keys, or troubleshooting delivery issues, this tool provides complete DKIM record validation in seconds.
How to Check DKIM Record (3 Methods)
There are several ways to check DKIM records for any domain. Our online DKIM checker is the fastest method with automatic selector detection, but command-line tools also work if you know the selector.
dig google._domainkey.example.com TXT +short replacing "google" with the selector and "example.com" with your domain. This returns the raw DKIM record but requires you to know the selector. For all DNS records, use our DNS Lookup tool.DKIM-Signature: header. The s= value is the selector and d= is the signing domain. Then use our DKIM checker with that selector for full validation.DKIM Record Tags — Complete Reference
DKIM records use tags to define the public key configuration. Here are all the tags you may encounter when you check DKIM records:
Must be v=DKIM1. Identifies the record as a DKIM public key. Required for proper identification.
Base64-encoded public key. Required. An empty p= means the key has been revoked.
Cryptographic algorithm: rsa (default, most common) or ed25519 (modern, compact).
Hash algorithm for signing: sha256 (recommended) or sha1 (deprecated, weak).
t=y enables testing mode. t=s requires exact domain match. Remove y for production.
Service type: * (all services, default) or email (email only). Most records use the default.
Our 10 DKIM Validation Checks
DKIM Best Practices
SPF vs DKIM vs DMARC — Email Authentication Explained
DKIM is one pillar of email authentication. Together with SPF and DMARC, it forms a complete defense against email spoofing and phishing. Here's how they compare:
What: Verifies the sending server's IP is authorized
How: DNS TXT record listing allowed IPs
Checks: Envelope sender (Return-Path)
What: Verifies the message wasn't tampered with
How: Cryptographic signature in email headers
Checks: Message integrity + signing domain
What: Ties SPF + DKIM together with a policy
How: DNS TXT record with enforcement rules
Checks: From header alignment with SPF/DKIM
Related Email & DNS Tools
Check SPF records, count DNS lookups, and resolve include chains.
Check DMARC policy, reporting settings, and alignment mode.
Check MX records and detect email providers for any domain.
Check all DNS record types (A, AAAA, CNAME, MX, TXT, and more).
Run 17 DNS health checks including SPF and DMARC validation.
Check if your mail server IP is blacklisted on major RBLs.