DKIM Record Lookup Tool
DKIM Lookup (DomainKeys Identified Mail) is used to retrieve and verify the public cryptographic key associated with a domain and selector. This verify that emails originating from your domain are authentic.
Validate your DomainKeys Identified Mail (DKIM) records. Verify public keys, check selectors, and ensure your emails are cryptographically signed.
What is a DKIM Record?
DKIM (DomainKeys Identified Mail) is an email authentication method designed to detect forged sender addresses in emails, a technique often used in phishing and email spam. It allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain.
Think of DKIM as a digital seal placed on an envelope. If the seal is broken or missing, the recipient knows the contents might have been tampered with. It uses asymmetric cryptography (public and private keys) to "sign" your emails at the source and allows receiving servers to verify that signature using a public key published in your DNS records.
How DKIM Works
1. Signing (The Private Key)
When an email is sent, your mail server creates a cryptographic hash of the email headers and body. It then encrypts this hash using a private key.
2. Verification (The Public Key)
The receiving server looks up your domain's DNS for the public key. Verify your key publishing with our TXT Lookup tool.
What is a DKIM Selector?
Unlike SPF or DMARC, a domain can have many different DKIM records. To tell them apart, DKIM uses a Selector. The selector is a string of text that points to a specific DKIM key in your DNS.
For example, if your selector is google, the record is stored at google._domainkey.example.com. Selectors allow you to have different keys for different services (one for Google Workspace, one for Mailchimp, etc.) or to "rotate" keys for better security without deleting the old ones immediately.
Reading the DKIM Record
v=DKIM1
Version tag. Must be at the beginning.
k=rsa
Key type. RSA is the most common algorithm.
p=...
The Public Key itself (Base64 encoded string).
Security Best Practices
- Key Rotation: Rotate your DKIM keys every 6-12 months. This limits the damage if a key is ever compromised.
- Key Length: Use at least 2048-bit keys. 1024-bit keys are increasingly vulnerable to cracking.
- Clean Up: Delete old, unused DKIM records from your DNS to reduce your attack surface.
- Monitor Reports: Use our DMARC Checker to see if your DKIM signatures are failing in the wild.
Frequently Asked Questions
How do I find my DKIM selector?
The easiest way is to look at the "DKIM-Signature" header of an email you've sent. Look for the s= tag. Common default selectors include google, default, k1, or mandrill.
What happens if DKIM fails?
Historically, DKIM failure rarely caused an email to be rejected on its own. However, with the rise of DMARC, a failing signature can now cause an email to go to spam or be rejected, depending on your domain's policy.
Can I have multiple DKIM records?
Yes! You can (and should) have different DKIM records for every external service that sends mail on your behalf. Just make sure each one uses a unique selector.
Encryption is the Future
In an era of deepfakes and advanced phishing, DKIM provides the cryptographic certainty that your message is real. Use this tool to ensure your public key is correctly published and reachable by the world.