Guide
This free DKIM checker looks up the public key record at <selector>._domainkey.<domain>, reads the key type and strength, and flags problems like revoked keys, weak 1024-bit RSA, or test-mode flags. If you don't know your selector, it scans the selectors used by major providers.
How to check a DKIM record
- Enter a domain (e.g.
example.com). - Enter the selector if you know it, or leave it empty to scan common ones — found selectors appear as buttons you can click to run the full check.
- Read the verdict: the raw key record, the key type and bit length, each tag explained, and a list of errors and warnings.
Common selectors by provider
If none of these match, check your provider's DNS setup guide, or open a message you sent and read the s= tag inside its DKIM-Signature header.
What the checker validates
Example
Checking example.com with selector google queries google._domainkey.example.com and might return v=DKIM1; k=rsa; p=MIIBIjANBgkq…. The tool parses the key and reports "RSA 2048 bit" with no issues — a healthy DKIM setup.
Check SPF and DMARC too
DKIM proves a message wasn't altered, but on its own it doesn't tell receivers what to do with unsigned spoofed mail. Pair it with the SPF checker and DMARC checker.
Limitations
- The selector scan covers common provider selectors only; custom selectors must be entered manually.
- The tool checks the published key record, not whether your outgoing mail is actually signed with it.


