DKIM Record Checker
Checks DKIM selectors for your domain by testing 20 common selectors (google, selector1, mail, k1, sendgrid, etc.). Shows key type, estimated key length, hash algorithms. Flags 1024-bit weak keys and revoked keys.
How to Use DKIM Record Checker
- 1Enter your domain name — the tool automatically tests 20 common DKIM selectors.
- 2Or enter specific selectors used by your email service provider.
- 3Found DKIM records show key type, estimated bit length, and hash algorithms.
- 4Weak 1024-bit keys and revoked keys (empty p=) are flagged as issues.
Zenovay
Track your website performance
Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.
Related Tools
Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.
Frequently Asked Questions
What is DKIM and how does it work?▾
DKIM (DomainKeys Identified Mail, RFC 6376) adds a cryptographic signature to outgoing emails. The sending mail server signs the email headers and body with a private key. The public key is published as a DNS TXT record at {selector}._domainkey.{domain}. Receiving servers look up the public key to verify the signature. This proves: (1) The email was sent by a server with access to the private key. (2) The email was not modified in transit. Together with SPF and DMARC, DKIM prevents email spoofing and improves deliverability.
What is a DKIM selector?▾
A selector is a prefix used to look up the DKIM public key in DNS. Multiple selectors can exist for the same domain, allowing key rotation or multiple sending services. The selector is included in the DKIM-Signature header: "s=google" tells the receiver to look up the public key at google._domainkey.yourdomain.com. Common selectors: Google Workspace uses "google", Microsoft 365 auto-rotates between "selector1" and "selector2", SendGrid uses "s1" and "s2", Mailchimp uses "k1", Proton Mail uses "protonmail".
Why is a 1024-bit DKIM key considered weak?▾
RFC 8301 (published 2018) deprecated 1024-bit RSA keys for DKIM, requiring a minimum of 2048 bits. Research has shown that 1024-bit RSA keys can be factored with sufficient computing power and funding — a theoretical attacker who factored your key could forge DKIM signatures. Google deprecated 1024-bit DKIM in 2023. If you see a 1024-bit key, you should rotate to a 2048-bit key as soon as possible. Most modern email services already generate 2048-bit keys by default.
What does an empty p= value (revoked key) mean?▾
In DKIM, an empty public key (p=) signals that the key has been intentionally revoked. Emails signed with this key will fail DKIM verification. This is the DKIM key rotation mechanism — when you rotate keys, you revoke the old one by setting p= to empty. If you find a revoked key, it may be an old key from a previous ESP. Active emails should not be signed with a revoked key. If your emails are signed with a selector whose DNS record has p=, they will fail DKIM.
My DKIM selector is not in the common list — how do I find it?▾
To find your DKIM selector: (1) Check your email service provider's documentation or admin panel. (2) Send a test email and look at the full email headers — find the DKIM-Signature header, which contains "s={selector}". (3) For Google Workspace: Admin Console → Apps → Gmail → Authenticate email. (4) For Microsoft 365: Exchange admin center → mail flow → connectors. (5) For custom MTAs: check your Postfix/Exim configuration for the signing selector. Enter your custom selector in the "Additional selector" field of this checker.