DKIM Record Checker — Public Key at default._domainkey
Query default._domainkey TXT and report algorithm, key length estimate, and publication status
How to Use This Tool
- Enter the signing domain (for example example.com).
- The tool validates the hostname as a public DNS name.
- TXT records are fetched at default._domainkey.domain.
- Answers are scanned for v=DKIM1 or p= public key material.
- Algorithm and key length metadata are parsed from the record.
- Review found, host, record text, and keyLengthBits before cutover.
About This Tool
DKIM publishes a public key at selector._domainkey.domain so receivers verify message signatures. After ESP migrations, wrong selectors are the top cause of valid DNS but failing mail. VSPIC DKIM record checker calls the dkim action with the domain you enter and probes default._domainkey only — returning found, selector, host, algorithm from the k= tag, keyLengthBits estimated from base64 p= length, publicKeyLength, and the raw record string.
Unlike our email deliverability checker, this page does not auto-try alternate selectors like google or selector1 — only the default label is queried. If found is false, confirm the selector your mail platform documents and use dkim-key-checker when you need a custom selector field.
Common use cases
- •View all DNS records of a domain after migration
- •Confirm DNS records after domain changes
- •Test for DNS leaks when using a VPN
- •Debug email delivery with MX and TXT records
Why use VSPIC for ?
- Dedicated DKIM publication check at default selector.
- Algorithm and estimated key length for rotation planning.
- Raw record string for ticket documentation.
- Clear found boolean and constructed host label.
- Free read-only DNS query — no test email sent.
- Focused JSON without full deliverability noise.
DKIM selectors and the default label
Selectors are arbitrary DNS labels. The full host is selector._domainkey.domain. Many platforms use default, google, selector1, or s1 — never assume without vendor documentation.
This checker queries default only because the form supplies a domain field without selector input. Microsoft 365 and Google often use branded selectors — found false here does not prove DKIM is absent if another selector is active.
Reading found, host, and record
found true means TXT at default._domainkey contained DKIM key material. host echoes the exact label queried. record is the raw TXT string for copy into tickets.
found false means no qualifying TXT at default._domainkey. Check DKIM-Signature s= tag on a sent message or your ESP admin panel for the real selector.
Algorithm and keyLengthBits
algorithm surfaces the k= tag value, commonly rsa-sha256, or unknown when absent. keyLengthBits estimates RSA size from base64 p= payload length — useful for spotting legacy 1024-bit keys vendors want upgraded to 2048-bit.
Estimation is approximate but sufficient for quick audits. Exact validation happens when receivers verify signatures against message bytes.
When DNS looks correct but mail fails
Signing must use the private key matching the published public key. Stale caching, wrong selector on the signing server, or rotation mid-flight causes verification failures.
Also confirm d= domain alignment with DMARC policy. DKIM pass on a different domain may not satisfy alignment for the header From.
Key rotation workflow
Publish new selector and public key in DNS first. Verify with this checker or dkim-key-checker. Configure the mail platform to sign with the new private key. After deliverability confirms, revoke old p=.
Overlap with two active selectors is normal during rotation — check each selector separately.
Relationship to dkim-key-checker
dkim-key-checker accepts a custom selector field and uses the same dkim API action. Use this missing-tool page when you specifically search DKIM record checker and expect default selector behavior.
email-deliverability tries default then common alternates automatically — scores may show DKIM found when this page shows found false.
TXT format and revoked keys
Valid records include v=DKIM1 and p= public key. Empty p= indicates revoked keys — messages should not verify until a new key publishes. Long keys may split across multiple TXT strings concatenated by DNS.
t= and s= flags appear in advanced configs — raw record preserves them for vendor support cases.
Security hygiene
Private keys stay on mail servers or HSMs. Public keys in DNS are intentionally public. Revoke compromised keys by clearing p= or removing the record after moving to a fresh selector.
Do not paste private keys into DNS — only public material belongs in TXT.
API action dkim
GET /ip-tools/api/extended?action=dkim&domain=example.com queries default._domainkey. Optional selector parameter exists in API but this form does not expose it — use dkim-key-checker for custom selectors.
Automate default-selector checks after DNS Terraform applies for platforms that standardize on default.
Privacy and responsible use
DKIM TXT is public. Query sending domains you own or administer. We do not permanently store searches.
Record exports reveal mail infrastructure choices — handle JSON carefully.
Important notes & limitations
- Queries default selector only — no selector input on this form.
- Does not try google, selector1, or other common alternates.
- Does not cryptographically verify signatures on live messages.
- keyLengthBits is estimated from base64 length, not ASN.1 parse.
- Empty p= may show found with revoked-key implications — read record text.
Frequently Asked Questions
Yes. VSPIC offers this DKIM record checker at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
This form has a domain field only. The dkim action defaults to default._domainkey. Use dkim-key-checker for custom selectors.
email-deliverability tries alternate selectors like google when default is empty. Your live selector may not be default.
2048-bit RSA is widely recommended. 1024-bit may still verify but plan upgrades. keyLengthBits estimates from published material.
No. Only DNS publication and record metadata. Send test mail and read Authentication-Results for live verification.
The key is revoked or placeholder. Signing should use a different selector with valid p= material.
dkim with domain parameter and implicit default selector.
Next step for your check
Continue with dkim key checker on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
DKIM Key Checker
Validate DKIM public key, algorithm, and key length
Use Free →SPF Record Checker
SPF Record Checker — free online tool
Use Free →DMARC Record Checker
DMARC Record Checker — free online tool
Use Free →Email DNS Health Check
Email DNS Health Check — free online tool
Use Free →DNS Lookup Tool — DNS Checker
Free DNS lookup tool and DNS checker — query A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain.
Use Free →Reverse DNS Lookup
Resolve IP addresses to hostnames via PTR records
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS