Guide
This free DKIM checker looks up the public key record at <selector>._domainkey.<domain>, reads the key type and strength, and flags problems like revoked keys, weak 1024-bit RSA, or test-mode flags. If you don't know your selector, it scans the selectors used by major providers.
How to check a DKIM record
- Enter a domain (e.g.
example.com). - Enter the selector if you know it, or leave it empty to scan common ones — found selectors appear as buttons you can click to run the full check.
- Read the verdict: the raw key record, the key type and bit length, each tag explained, and a list of errors and warnings.
Common selectors by provider
| Provider | Selector(s) |
|---|---|
| Google Workspace | google |
| Microsoft 365 | selector1, selector2 |
| SendGrid | s1, s2 |
| Mailchimp / Mandrill | k1, k2, k3 |
| Fastmail | fm1, fm2 |
| Others | default, dkim, mail, smtp are common fallbacks |
If none of these match, check your provider's DNS setup guide, or open a message you sent and read the s= tag inside its DKIM-Signature header.
What the checker validates
| Check | Why it matters |
|---|---|
| Record exists at the selector | Without it, receivers cannot verify your signatures |
p public key present and valid base64 | An empty p means the key was revoked; garbage fails verification |
| RSA key size (parsed from the key) | Under 1024 bits is rejected; 1024 bits is weak — 2048 is the standard |
t=y test mode | Some receivers ignore DKIM failures for test keys |
h hash algorithms | A key that disallows sha256 breaks modern rsa-sha256 signatures |
| Tag syntax | Unknown tags and invalid versions are flagged |
Example
Checking example.com with selector google queries google._domainkey.example.com and might return v=DKIM1; k=rsa; p=MIIBIjANBgkq…. The tool parses the key and reports "RSA 2048 bit" with no issues — a healthy DKIM setup.
Check SPF and DMARC too
DKIM proves a message wasn't altered, but on its own it doesn't tell receivers what to do with unsigned spoofed mail. Pair it with the SPF checker and DMARC checker.
Limitations
- The selector scan covers common provider selectors only; custom selectors must be entered manually.
- The tool checks the published key record, not whether your outgoing mail is actually signed with it.


