📚 What Is a DKIM Record?
DKIM (DomainKeys Identified Mail), defined in RFC 6376, is an email authentication method that adds a cryptographic signature to an outgoing message's headers. The signature is generated with a private key on the sending mail server and can be verified by any receiving server using the matching public key, which the domain publishes in DNS as a TXT record at selector._domainkey.domain.
Unlike SPF, which only checks the sending IP, DKIM proves two things at once: the message content and key headers were not altered in transit, and whoever signed it had access to the domain's private key — a strong signal of legitimacy that also survives forwarding, which breaks SPF.
⚙️ How DKIM Verification Works
1️⃣
Sign
The sending server hashes selected headers and the message body, then encrypts the hash with its private key, adding the result as a DKIM-Signature header.
2️⃣
Publish
The domain owner publishes the corresponding public key as a DNS TXT record at selector._domainkey.domain — this is exactly what this tool queries.
3️⃣
Receive
The receiving server reads the s= and d= tags from the DKIM-Signature header to know which selector and domain to look up.
4️⃣
Verify
It fetches the public key from DNS, decrypts the signature, and compares it against a fresh hash of the received message. A match means DKIM pass.
📋 DKIM Tag Reference
🔑 Common Selectors by Provider
If a lookup returns no record, the selector is usually wrong rather than DKIM being unset. Try these common defaults:
🛡️ Use Cases for DKIM Lookup
📧
Email Deliverability Troubleshooting
A missing or misconfigured DKIM record is a common reason legitimate email lands in spam. Verify the record matches what your sending platform expects before opening a support ticket.
🔄
Key Rotation Verification
After rotating DKIM keys, confirm the new selector resolves correctly and the old one is either still valid during transition or properly revoked (empty p=).
🔐
Security Audits
Security teams check whether a domain publishes weak (1024-bit) keys, still-active old selectors that should have been retired, or unusual key types worth investigating.
📈
DMARC Alignment Checks
Confirm the d= domain in your DKIM signature aligns with your From: domain — required for DMARC's DKIM alignment check to pass under strict mode.
🔗 More Ways to Investigate Email Authentication
Check the sending policy with SPF Lookup, confirm mail routing with MX Lookup, or run a full validation with Email Checker. New to DKIM? Start with What Is DKIM?, then read the complete picture in SPF vs DKIM vs DMARC. Also see our Website Security Checklist for the full audit picture beyond just email.
What is a DKIM record? +
DKIM (DomainKeys Identified Mail) is an email authentication method defined in RFC 6376. It adds a cryptographic signature to outgoing mail headers, and receiving servers verify it against a public key published in DNS.
What is a DKIM selector? +
A selector is a label letting a domain publish multiple DKIM keys at different DNS locations (selector._domainkey.domain). The selector used is included in the DKIM-Signature header's s= tag.
How do I find my DKIM selector? +
Open a sent email's raw headers and find the DKIM-Signature header — the s= tag is the selector. Without a sample email, try common provider selectors like google, selector1, or k1.
What does v=DKIM1 mean? +
v=DKIM1 is the version tag identifying the record as a DKIM public key. It's optional per RFC 6376 but recommended and expected as the first tag by most receivers.
What is the p= tag? +
p= holds the base64-encoded public key used to verify signatures. An empty p= means the key has been revoked — mail signed with it will now fail DKIM.
What does an empty p= tag mean? +
An empty p= is the standard way to revoke a key while keeping the record in place, typically done during key rotation or when decommissioning a sending source.
What key types does DKIM support? +
k= specifies the algorithm. rsa is default and most widely supported. ed25519 (RFC 8463) is newer, smaller, and faster but not yet universally validated by receivers.
What is the minimum safe DKIM key size? +
1024-bit RSA is weak and deprecated — some receivers reject it. 2048-bit is the current recommended minimum; some providers use 4096-bit for extra margin.
What is the h= tag? +
h= restricts acceptable hash algorithms, typically sha256. If absent, all hash algorithms the receiver supports are accepted — sha256 is now the de facto standard.
What is the difference between SPF, DKIM, and DMARC? +
SPF authorizes sending IPs. DKIM cryptographically signs the message to prove integrity and origin. DMARC ties both together and tells receivers what action to take when either fails.
Why does my domain need multiple DKIM selectors? +
Multiple selectors let you run several sending sources at once, each with its own key, and rotate keys without downtime by publishing a new selector before retiring the old one.
Why is my DKIM lookup returning no record? +
Usually the selector is wrong. Check a sent email's DKIM-Signature header for the exact s= value, or try common selectors for your provider from the reference table above.
Can a DKIM record span multiple DNS strings? +
Yes — TXT records are limited to 255 characters per string, and 2048-bit RSA keys often exceed that. DNS lets one record contain several quoted strings concatenated in order; this tool reconstructs them automatically.
Does DKIM alone stop email spoofing? +
No. DKIM proves a message wasn't altered and was signed by a key the domain published, but it doesn't stop unsigned spoofed mail. Full protection requires DMARC with an enforcement policy.
How do I add a DKIM record? +
Generate a key pair with your provider or OpenSSL, publish the public key as a TXT record at selector._domainkey.yourdomain.com with value v=DKIM1; k=rsa; p=<key>, and keep the private key on your mail server.
Is DKIM Lookup free? +
Yes — completely free, unlimited lookups, no sign-up needed. Queries go through Google's public DNS-over-HTTPS resolver and results appear instantly.