DKIM Checker
Verify the DKIM (DomainKeys Identified Mail) public key record for a given selector and domain. DKIM ensures email hasn't been tampered in transit.
What is DKIM?
DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email was sent by an authorised server and was not modified in transit. The sending server signs each email with a private key; receiving servers look up the public key in DNS to verify the signature.
What is a DKIM selector?
A selector is a subdomain prefix used to publish multiple DKIM keys for the same domain. This allows different keys for different mail streams β for example, 'google._domainkey' for Google Workspace and 'mailchimp._domainkey' for campaigns. Each email's DKIM-Signature header includes an 's=' tag identifying which selector to look up.
Key length and security
1024-bit keys are now considered weak. 2048-bit keys are the current recommendation. 4096-bit keys offer maximum security but may cause issues with some DNS providers due to TXT record size limits. If your key is shorter than 1024 bits, rotating to a longer key should be a priority.
Rotating DKIM keys
Key rotation limits exposure if a private key is compromised. Most security frameworks recommend rotating annually. The process: generate new key pair, publish public key under a new selector, configure your mail server to sign with the new key, wait for DNS propagation, then remove the old key.