DKIM checker

Email tools

Look up a domain's DKIM public key record, read the key type and strength, and catch revoked or weak keys. No selector? The tool scans common provider selectors for you.

Guide

This free DKIM checker looks up the public key record at <selector>._domainkey.<domain>, reads the key type and strength, and flags problems like revoked keys, weak 1024-bit RSA, or test-mode flags. If you don't know your selector, it scans the selectors used by major providers.

How to check a DKIM record

  1. Enter a domain (e.g. example.com).
  2. Enter the selector if you know it, or leave it empty to scan common ones — found selectors appear as buttons you can click to run the full check.
  3. Read the verdict: the raw key record, the key type and bit length, each tag explained, and a list of errors and warnings.

Common selectors by provider

ProviderSelector(s)
Google Workspacegoogle
Microsoft 365selector1, selector2
SendGrids1, s2
Mailchimp / Mandrillk1, k2, k3
Fastmailfm1, fm2
Othersdefault, dkim, mail, smtp are common fallbacks

If none of these match, check your provider's DNS setup guide, or open a message you sent and read the s= tag inside its DKIM-Signature header.

What the checker validates

CheckWhy it matters
Record exists at the selectorWithout it, receivers cannot verify your signatures
p public key present and valid base64An empty p means the key was revoked; garbage fails verification
RSA key size (parsed from the key)Under 1024 bits is rejected; 1024 bits is weak — 2048 is the standard
t=y test modeSome receivers ignore DKIM failures for test keys
h hash algorithmsA key that disallows sha256 breaks modern rsa-sha256 signatures
Tag syntaxUnknown tags and invalid versions are flagged

Example

Checking example.com with selector google queries google._domainkey.example.com and might return v=DKIM1; k=rsa; p=MIIBIjANBgkq…. The tool parses the key and reports "RSA 2048 bit" with no issues — a healthy DKIM setup.

Check SPF and DMARC too

DKIM proves a message wasn't altered, but on its own it doesn't tell receivers what to do with unsigned spoofed mail. Pair it with the SPF checker and DMARC checker.

Limitations

  • The selector scan covers common provider selectors only; custom selectors must be entered manually.
  • The tool checks the published key record, not whether your outgoing mail is actually signed with it.

Operated by

Turnint AI
unbounded pioneering inc

Turnint AI Tools is a suite of free tools built and operated by unbounded pioneering inc, the company behind the Turnint AI agent platform.

Ryosuke Suzuki
Ryosuke SuzukiFounder & CEO

Founder & CEO of Unbounded Pioneering Inc., the company behind the Turnint AI agent platform, and an expert in machine learning and AI product development. He began his career in machine learning research at a university laboratory, then designed and built large-scale products as a software engineer at PLAID, Rakuten, and Recruit, while also driving new business development. Now specializing in generative AI and AI agents, he works across both engineering and business development, and is a named inventor on multiple granted patents in web technology.

Named inventor on granted patents JP6887648 & JP7480958 · Patent pending on Turnint AI technology

Get in touch

Thanks for reaching out

Thank you for your interest in our company. A member of our team will get back to you within one business day.

What we can help with

  • Adopting and getting the most out of Turnint AI
  • A demo or trial of Turnint AI
  • AI adoption in general (beyond our own product, too)
  • Alliances and partnerships
  • Any other questions

Talk to us online

You can also book a meeting directly from the calendar.

Pick a template or write your own message.