Free Tool

DKIM Record Checker

Enter any domain and optional selector to look up and validate its DKIM record. Check key type, size, and configuration instantly.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to outgoing emails. The receiving server looks up the public key in DNS to verify the signature wasn't tampered with.

DKIM survives email forwarding (unlike SPF), making it critical for deliverability. Combined with DMARC, DKIM ensures recipients can trust that emails actually came from your domain.

DKIM and Email Forwarding

Unlike SPF, DKIM signatures travel with the email and remain valid even after forwarding — as long as the message body and signed headers aren't modified. This makes DKIM the most reliable authentication method for forwarded mail.

ARC-Relay preserves DKIM by adding cryptographic ARC (Authenticated Received Chain) seals that vouch for the original DKIM pass, so Gmail, Outlook, ProtonMail, and Yahoo trust the forwarded email even if minor modifications occur.

Fix your forwarding with ARC-Relay

Frequently Asked Questions

What is a DKIM selector?
A DKIM selector is a name that identifies which DKIM key to use when signing or verifying an email. It's part of the DNS lookup: selector._domainkey.yourdomain.com. Common selectors include "google" (Google Workspace), "selector1" and "selector2" (Microsoft 365), and "default". Each selector points to a different public key in your DNS.
How do I find my DKIM selector?
Check your email provider's documentation for the selector name. You can also find it by opening a sent email, viewing the headers, and looking for the DKIM-Signature header — the s= tag contains the selector. For example, s=google means the selector is "google".
What key size should I use for DKIM?
Use at least 2048-bit RSA keys. Older 1024-bit keys are still common but increasingly considered weak. Some providers support Ed25519 keys (k=ed25519) which are smaller but provide equivalent security. Major providers like Google and Microsoft use 2048-bit RSA.
What does 't=y' mean in a DKIM record?
The t=y flag indicates the domain is testing DKIM. Receiving servers may treat DKIM failures more leniently for testing domains. Remove the t=y flag once you've confirmed DKIM signing is working correctly. Leaving it on long-term provides weaker verification.
Can I have multiple DKIM selectors?
Yes, and it's common. Different email services (your mail server, marketing platform, transactional email provider) each use their own selector. There is no limit to the number of selectors. Each selector has its own key pair, so compromising one doesn't affect the others.

More Free Tools

DMARC Record Checker
Analyze your DMARC policy and get recommendations
SPF Record Validator
Check your SPF record for errors and lookup limits
Email Health Score
Get a 0-100 grade for your domain's email security
MX Record Lookup
Look up your domain's mail exchange records

Forward emails without breaking DKIM

ARC-Relay adds cryptographic ARC seals so forwarded emails pass authentication at Gmail, Outlook, and ProtonMail.

Start free