DKIM Record Checker

DKIM Record Checker: Validate Your Email Signing Keys

DKIM (DomainKeys Identified Mail) is one of the three pillars of email authentication alongside SPF and DMARC. It uses public-key cryptography to create a digital signature on outgoing messages that receiving mail servers can verify. When DKIM passes, the receiving server can confirm the message was authorized by the domain owner and hasn't been tampered with in transit. Gmail, Outlook, and Yahoo all use DKIM as a factor in spam scoring and deliverability.

How DKIM Works: Keys, Selectors, and DNS

DKIM operates through an asymmetric key pair. The private key lives on your mail server and signs each outgoing message, adding a DKIM-Signature header. The public key is published as a TXT record in your DNS at selector._domainkey.yourdomain.com. When a receiving server wants to verify a signed message, it extracts the selector from the DKIM-Signature header, looks up the public key in DNS, and uses it to verify the signature.

The selector is a label that lets a domain publish multiple DKIM keys simultaneously — useful for using different keys per sending service, rotating keys without downtime, or managing multiple ESPs. Selectors like google, default, k1, and cse-2048 are common. To find yours, view the raw headers of a sent message and look for s= in the DKIM-Signature line.

RSA vs Ed25519: Choosing the Right Algorithm

RSA 2048-bit is the current standard and is universally supported across all mail servers, spam filters, and ESPs. It provides strong security and is the right choice for most senders. RSA 4096-bit provides higher security but creates longer TXT records that can approach DNS UDP packet size limits — some DNS providers truncate long TXT records, causing DKIM failures. Ed25519 is a modern elliptic curve algorithm producing short keys with strong security, but isn't yet supported by all mail server implementations. For new deployments, RSA 2048 is the safe choice.

Common DKIM Problems and How to Diagnose Them

• Record not found — Verify selector name (from the DKIM-Signature header of a sent message), check DNS propagation, and confirm the record host format: selector._domainkey.domain.com
• Missing v=DKIM1 — The record was published incorrectly or doesn't start with the required version tag. Regenerate and republish the record.
• Revoked key (empty p=) — Someone deliberately or accidentally set p= to empty. This revokes the key. The receiving server will fail DKIM for all messages signed with the corresponding private key. Republish the public key immediately.
• DKIM passes but still goes to spam — DKIM passing is necessary but not sufficient. Check SPF, DMARC, IP blacklist status, and complaint rates. DKIM alone doesn't guarantee inbox placement.
• DKIM fails for forwarded messages — This is expected behavior. Email forwarding breaks DKIM signatures because the message is re-transmitted from a different server. This is why DMARC with SPF alignment matters for forwarded mail.

DKIM and Google/Yahoo 2024 Sender Requirements

In February 2024, Google and Yahoo mandated DKIM for all bulk senders (those sending more than 5,000 messages per day to Gmail). DKIM must be configured at the same domain as the From address. Senders failing DKIM authentication face deferral and potential permanent blocking. Microsoft followed with similar requirements for Outlook.com and Hotmail.

DKIM Key Rotation Best Practices

DKIM keys should be rotated annually, or immediately if you suspect compromise. The rotation process: generate a new key pair (use our DKIM Key Generator), publish the new public key at a new selector (e.g. cse-2025), configure your mail server to sign with the new private key, wait 48 hours for DNS propagation, then revoke the old key by setting its p= tag to empty. Never delete the old record immediately — wait for TTL to expire and caches to clear.