DKIM Record Checker

Verify your DKIM public key record, selector configuration, and signing policy to ensure your emails are properly authenticated and not susceptible to tampering.

How to Use the DKIM Record Checker

  1. Enter your domain name in the scanner.

  2. Navigate to the DKIM tab in the Email Trust Console.

  3. Enter your DKIM selector (e.g. 'default', 'google', 'mail').

  4. Review the public key, key length, and policy analysis.

DKIM Record Checker — Frequently Asked Questions

What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to outgoing emails. Receiving servers verify this signature against a public key published in your DNS.
What is a DKIM selector?
A DKIM selector is a subdomain prefix used to locate the DKIM public key in DNS. For example, if your selector is 'google', the key is published at google._domainkey.yourdomain.com.
What key length should my DKIM use?
A minimum of 2048-bit RSA keys is recommended. Older 1024-bit keys are considered weak and should be rotated. Ed25519 keys offer strong security with smaller key sizes.
Why is DKIM failing even though I have a record?
Common causes include: key mismatch (public and private keys don't match), incorrect selector, the record was recently changed and hasn't propagated, or the sending server isn't configured to sign.
How often should I rotate DKIM keys?
Security best practices recommend rotating DKIM keys every 6–12 months, or immediately after a suspected compromise.