DKIM Record Check

    DKIM Record Checker

    Use the DKIM record checker to validate
    your DKIM records

    DKIM (DomainKeys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of the sending domain. It works together with DMARC (and SPF).

    In order to implement DKIM you will need to have a valid DKIM record. You can use our DKIM Record Checker to check your DKIM record. A DKIM Record Checker or DKIM Analyzer tool will test the domain name and selector for a valid published DKIM record. DKIM authenticates the reputation and identity of the sender. We strongly recommend you to carefully test any updates to your DKIM records before applying them.

    Protected by reCAPTCHA. Google Privacy Policy and Terms of Service apply.

    Your results

    Your DNS record is:

    Your DNS record is:


    Your selector is:


    Your domain is:

    Full DKIM Record

    Key Length

    Most ESPs use 1024-bit keys by default, but companies like Google use 2048-bit keys. We recommend 1024 or higher.

    We have detected that the key length you use is

    Declared tags

    Tag Value Description

    Defaulted tags

    Tag Value Description
    Tag Value Description
    v DKIM protocol version.
    g * Some organizations assign specific business functions to discrete groups, inside or outside the organization. This key is to authorize that group to sign some mail, but to constrain what signatures they can generate. The DKIM granularity (the 'g=' tag) facilitate this kind of restricted authorization.
    h The 'h=' tag provide a list of mechanisms that can be used to produce a digest of message data. ('sha1' or 'sha256' can be used).
    k The 'k=' tag provide a list of mechanisms that can be used to decode a DKIM signature. ('rsa' is used most often).
    n Notes that might be of interest to a human.
    p Your base64 encoded public key.
    s * The 's=' provides a list of service types to which this selector may apply. ('*' and 'email' are used most often).
    t The 't=' tag provides a list of flags to modify interpretation of the selector. These DKIM Selector Flags for additional flags are optional. ('y' and 's' are often used).
    l 0 Body length limits (in the form of the 'l=' tag) are subject to several potential attacks.
    q The 'q=' tag-spec provides for a list of query methods. ('dns' is used most often)

    Would you like your results emailed to you?

    Thank you.

    Check your email for details on your request.

    About DKIM

    More information about DKIM

    DKIM allows organizations to authenticate emails, thus protecting email traffic. This technique signs emails with a key, allowing the recipient to verify that the message has not been modified along the way. This type of verification is an important part of DMARC protection.

    Using the DKIM record checker

    The DKIM checker verifies the presence and validity of a DKIM record. Enter the domain and selector to check the domain’s DKIM record.

    DKIM Selector: The DKIM selector is specified in the header of the DKIM signature and indicates where the public key portion of the DKIM key pair exists in DNS.

    Domain to verify: The domain for which the DKIM record is to be checked.

    DKIM part of the DMARC protection

    DMARC only works if SPF and DKIM are set up correctly. Mimecast DMARC Analyzer can be used to generate DMARC reports containing detailed information about who is sending email on your behalf.

    How DKIM authentication works

    With DKIM, the sending server signs an email with a key. This includes the body and a number of important headers, such as From, To, the subject, and the date. This “signature” is added as an extra header so that receiving mail servers can verify it.

    The public part of the key is published in the DNS zone of the sending domain. By using the public key and the signature in the message, the receiving party can verify that the message arrived as it was sent, without modification.

    These keys can be found as TXT records or CNAME records in the form selector._domainkey. Thus, a domain can contain multiple keys. This is useful if there are multiple senders — such as Google Workspace or Microsoft Office 365 — in addition to the regular email with the hosting package.

    Utilisez l'analyseur DMARC pour protéger votre marque contre l'usurpation de domaine !

    Bénéficiez d'une visibilité totale sur tous les expéditeurs d'e-mails qui utilisent votre domaine afin de distinguer les expéditeurs légitimes des expéditeurs frauduleux et de bloquer la livraison de tout e-mail non authentifié.

    Haut de la page