SysAdmin Tools

A DKIM lookup retrieves the DomainKeys Identified Mail (DKIM) public key record published in DNS for a given domain and selector. DKIM is a cryptographic email authentication standard that lets receiving mail servers verify that an email was actually sent by the claimed domain and was not tampered with in transit. Without a valid DKIM record, your emails are more likely to fail authentication checks and land in spam folders.

When your mail server sends an email, it signs the message with a private key and adds a DKIM-Signature header. The receiving mail server then performs a DKIM lookup to fetch your public key from DNS and uses it to verify the signature. If the signature matches, the message is DKIM-authenticated. DKIM works in combination with SPF and DMARC to form a complete email authentication stack.

DKIM records are published as TXT records at a specific subdomain in the format: selector._domainkey.example.com. The selector is chosen by the email service and allows domains to use multiple DKIM keys simultaneously — one per email sending service. Common selectors include google, default, mail, s1, and s2.

Use this tool to verify that your DKIM record is correctly published, that the key is present and valid, and to inspect the key type, bit length, and flags. This is especially useful after setting up a new email provider or rotating DKIM keys.

How to Use the DKIM Lookup Tool

  1. 1

    Enter the domain name

    Type the sending domain — for example, example.com. This is the domain in the d= tag of the DKIM-Signature header in outgoing emails.

  2. 2

    Enter the DKIM selector

    Enter the selector provided by your email service. Common selectors are: google (Google Workspace), selector1 and selector2 (Microsoft 365), default, mail, s1, s2. Check your email provider's setup guide if you are unsure.

  3. 3

    Click Lookup

    The tool queries the DNS TXT record at selector._domainkey.domain and displays the DKIM public key record. Results appear within seconds.

  4. 4

    Verify the record

    Confirm the record contains v=DKIM1, p= (the public key), and optionally k=rsa (key type) and t=s (flags). An empty or missing p= value means the key has been revoked.

Understanding DKIM Record Results

A DKIM record is a TXT record published at selector._domainkey.yourdomain.com. It contains several tagged parameters separated by semicolons. The most important is the p= tag, which holds the Base64-encoded RSA or Ed25519 public key. This is the key receiving servers use to verify email signatures. The v=DKIM1 tag identifies the record version — it must be the first tag. The k= tag specifies the key type (rsa or ed25519 — RSA is the most widely supported). The t= tag controls flags: t=s means the key is for exact domain matches only (subdomains must publish their own key); t=y means the domain is in testing mode (failures should not affect delivery). A missing p= value or p= with an empty value signals that the key has been revoked and all email using that selector will fail DKIM verification.
FieldDescription
v=DKIM1Version tag. Must be the first element in the record — identifies this TXT record as a DKIM public key.
k=Key type. rsa is the most common; ed25519 offers smaller keys and better performance on modern systems.
p=Base64-encoded public key. This is the cryptographic key receiving servers use to verify DKIM signatures. Empty p= means the key is revoked.
t=Flags. t=s restricts the key to the exact domain (no subdomain signing). t=y means testing mode — failures are not enforced.
h=Acceptable hash algorithms, e.g. h=sha256. If omitted, all algorithms are allowed.
n=Human-readable notes about the key — for documentation purposes only, not used in DKIM validation.

Common DKIM Lookup Use Cases

Verify DKIM record after email provider setup

After publishing the DKIM TXT record provided by your email service (Google Workspace, Microsoft 365, Mailgun, SendGrid, etc.), use DKIM lookup to confirm it is live in DNS before enabling DKIM signing in your mail provider's settings.

Troubleshoot DKIM failures in email headers

If received emails show dkim=fail or dkim=none in their Authentication-Results header, look up the selector and domain from the DKIM-Signature header to check whether the public key is published and matches what the sending server used.

Audit DKIM keys across multiple selectors

Domains that send email from multiple providers (marketing platform, CRM, transactional email, corporate mail) have multiple DKIM selectors. Use DKIM lookup to verify each selector is correctly published and none have expired or revoked keys.

Verify DKIM key rotation

After rotating DKIM keys — for example, after a security incident or periodic key refresh — look up both the old and new selectors to confirm the new key is published and the old one is revoked (p= empty or record removed).

DKIM Lookup — Frequently Asked Questions

What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that lets senders cryptographically sign outgoing email. The sending mail server adds a DKIM-Signature header containing a digital signature. Receiving servers look up the public key in DNS and verify the signature. If it matches, the email is DKIM-authenticated — proving it came from the stated domain and was not altered in transit.
How do I find my DKIM selector?
The DKIM selector is specified by your email service. Google Workspace uses "google", Microsoft 365 uses "selector1" and "selector2", and other providers use custom values. You can also find the selector in the DKIM-Signature header of an email sent from your domain — look for the s= tag. Check your email provider's DKIM setup documentation for the exact selector value.
What is a DKIM selector?
A selector is a label that distinguishes multiple DKIM keys published for the same domain. It is part of the DNS query used to look up the public key: selector._domainkey.yourdomain.com. Using selectors allows a domain to have multiple DKIM keys active simultaneously — one for each email sending service. This lets you add or rotate keys for individual services without affecting others.
Why does my DKIM lookup return no record?
A missing DKIM record means either (1) the record has not been published in DNS yet — check your DNS provider and wait for propagation; (2) the selector is wrong — verify the exact selector from your email provider's setup guide; (3) the record was never set up. Without a DKIM record, the domain cannot pass DKIM verification, which weakens your DMARC pass rate and may cause email to fail authentication.
What does an empty p= value mean in DKIM?
An empty p= tag (p=) in a DKIM record means the key has been revoked. The record exists but the public key has been removed. Any email signed with the corresponding private key will fail DKIM verification. This is the standard way to revoke a compromised DKIM key while keeping the DNS record in place to explicitly signal revocation to receiving servers.
Is DKIM required for email to work?
DKIM is not required for basic email delivery, but it is strongly recommended. Without DKIM, your domain cannot achieve a DMARC pass through the DKIM alignment path. Google and Yahoo's 2024 bulk sender requirements mandate DKIM for domains sending more than 5,000 emails per day to Gmail. Most enterprise mail filters also penalise or reject unsigned email from established domains.
What is the difference between DKIM and SPF?
SPF validates the IP address of the server that sent the email (the envelope sender). DKIM validates the content and origin of the email using a cryptographic signature. SPF can break when email is forwarded (the forwarding server's IP is not in the original SPF record). DKIM survives forwarding because the signature travels with the message. Both are needed for a complete email authentication setup.
How often should DKIM keys be rotated?
Security best practice recommends rotating DKIM keys annually, or immediately after a suspected key compromise. To rotate, generate a new key pair, publish the new public key under a new selector, update your mail server to sign with the new private key, then revoke the old key by setting p= empty in the old selector's DKIM record. Verify both records with DKIM lookup before and after the rotation.
What is the difference between RSA and Ed25519 DKIM keys?
RSA is the traditional key type for DKIM, typically with 2048-bit keys. It is supported by all major mail servers and services. Ed25519 is a newer elliptic curve key type that offers smaller keys (and thus shorter DNS records), faster signing and verification, and modern cryptographic security. Ed25519 is not yet supported by all mail systems, so RSA 2048-bit is still the recommended choice for maximum compatibility.
Can I use DKIM without DMARC?
Yes, DKIM works without DMARC, but its protective value is limited. DKIM alone proves the message signature is valid but does not prevent spoofing of the visible From: header. DMARC adds the alignment check — it requires that the domain in the From: header aligns with either the SPF-authenticated domain or the DKIM-signing domain. Without DMARC, an attacker can pass DKIM using their own domain while showing your domain in the From: header.

Related Tools

SPF Lookup

Verify the SPF record that authorises your mail servers alongside DKIM signing.

DMARC Lookup

Check the DMARC policy that ties together SPF and DKIM authentication results.

MX Lookup

Confirm the mail servers for the domain you are checking DKIM on.

DNS Lookup

Query all TXT records for the domain to inspect the full DNS configuration.