DKIM Key Checker — Public Key and Record Validation

The selector is an arbitrary DNS label chosen by the operator. Multiple selectors can coexist during rotation — s1 and s2 from a provider, or dated selectors from your security team. The full DNS name is selector._domainkey.domain.

Mail headers include the selector in the DKIM-Signature field. When troubleshooting received mail, copy that selector into this tool along with the From domain or signing domain (d=) to inspect the published key receivers used.

The k= tag declares the signing algorithm, commonly rsa-sha256. Our parser surfaces the declared value or unknown when absent. Key length is estimated from the base64 p= payload length — useful for spotting 1024-bit legacy keys that vendors recommend upgrading to 2048-bit or higher.

Estimation from DNS length is approximate but sufficient for quick audits. Exact cryptographic validation happens when receivers verify signatures against message bytes.

Valid DKIM TXT records include v=DKIM1 and a p= public key. Empty p= indicates revoked keys — messages should not verify until a new key publishes. t= flags and s= service types appear in advanced configurations.

Long keys may split across multiple TXT strings that DNS concatenates. Our lookup presents combined answers as returned by the resolver path.

Signing must use the private key matching the published public key. Wrong selector in the signing server, stale caching, or signing with an old key after rotation causes verification failures even when DNS looks correct.

Also confirm the signing domain aligns with From header policy and DMARC alignment rules. DKIM alone does not guarantee inbox placement.

Publish the new selector and public key in DNS first. Verify with this checker. Configure the mail platform to sign with the new private key. After deliverability confirms, remove or revoke the old p= value.

Overlap periods with two active selectors are normal. Document selectors in runbooks so incident responders know which DNS entries are safe to delete.

SPF authorizes sending IPs. DKIM proves message integrity and domain association. DMARC policy tells receivers how to handle failures and whether alignment is required. Our email deliverability checker scores all three plus MX in one pass.

Use this DKIM tool when you need deep detail on one selector; use deliverability for holistic scoring.

Treat private keys as secrets in HSMs or provider vaults. Public keys in DNS are intentionally public. Revoke compromised keys by clearing p= or removing the record after moving to a fresh selector.

Avoid oversize keys that exceed DNS UDP fragmentation limits without EDNS support — most modern hosts handle 2048-bit RSA comfortably.

Providers use branded selectors unlike the word default. Copy from their admin console, not assumptions. Trailing dots and whitespace break lookups — our handler trims selector input.

Subdomain signing uses the d= domain in headers; query the DNS zone that actually hosts the _domainkey label.

This tool does not send test email, inspect message headers, or verify signatures cryptographically. It confirms publication and parses record metadata only.

Internal DNS views may show keys external receivers cannot see if split horizon misconfigured.