DNSTrack Logo
SSL Checker Email Verifier SPF Record Checker DMARC Checker DKIM Checker

DKIM Record Checker & Generator

Check and validate DKIM records, verify email signatures, and generate RSA key pairs for email authentication

Check DKIM Record

Note: DKIM requires both a domain and a selector. Common selectors: default, google, k1, s1, selector1, selector2
Try these common selectors if unsure: default, google, k1, s1, selector1, dkim

Generate DKIM Keys

Important: Keep your private key secure! Never share it publicly or commit it to version control.
The domain that will send emails
A unique name for this DKIM key. Common: default, k1, s1, selector1. Use different selectors for key rotation.
2048-bit is the recommended standard for most use cases

Understanding DKIM Records

DKIM (DomainKeys Identified Mail) is an email authentication method that allows the receiver to verify that an email was actually sent by the domain it claims to be from and that the message hasn't been altered during transit. It uses cryptographic signatures to ensure email integrity and authenticity.

Why DKIM Records Matter

DKIM records are essential for email security and deliverability because they:

  • Verify Email Authenticity: Proves emails actually came from your domain
  • Prevent Email Tampering: Detects if email content was modified in transit
  • Improve Deliverability: Authenticated emails are more likely to reach inboxes
  • Protect Reputation: Prevents spammers from impersonating your domain
  • Enable DMARC: DKIM is a key component of DMARC authentication
  • Build Trust: Recipients can verify your emails are legitimate

How DKIM Works

DKIM uses public-key cryptography:

  • Step 1: Your mail server signs outgoing emails with a private key
  • Step 2: The signature is added to the email headers
  • Step 3: Your public key is published in DNS
  • Step 4: Receiving servers retrieve your public key from DNS
  • Step 5: The signature is verified using the public key
  • Step 6: If verification succeeds, the email passes DKIM

DKIM Record Structure

A typical DKIM record looks like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...

Breaking down the components:

  • v=DKIM1: DKIM version (always DKIM1)
  • k=rsa: Key type (RSA is standard)
  • p=: Public key in Base64 encoding
  • t=y: Testing mode flag (optional, remove for production)
  • s=email: Service type (email or * for all)
  • h=: Acceptable hash algorithms

What is a DKIM Selector?

A selector is a unique identifier that allows you to have multiple DKIM keys for one domain. This is useful for:

  • Key Rotation: Gradually switch to new keys without disruption
  • Multiple Servers: Different mail servers can use different keys
  • Third-Party Services: Email services can use their own selectors
  • Testing: Test new keys before making them primary

Common selector names: default, google, k1, s1, selector1, mail, dkim

DKIM DNS Record Location

DKIM records are published at: selector._domainkey.yourdomain.com

For example, if your domain is example.com and your selector is "default", the DNS record is at: default._domainkey.example.com

Key Size Recommendations

  • 1024-bit: Older standard, less secure, but more compatible and faster. Not recommended for new implementations.
  • 2048-bit: Current recommended standard. Good balance of security, performance, and compatibility. Fits in standard DNS responses.
  • 4096-bit: Maximum security but may cause DNS issues due to response size limits. Can require DNS fragmentation or TCP fallback.

DKIM Implementation Steps

  • Step 1: Generate public/private key pair (use our generator above)
  • Step 2: Add the public key to DNS as a TXT record at selector._domainkey.domain.com
  • Step 3: Configure your mail server with the private key
  • Step 4: Enable DKIM signing in your mail server configuration
  • Step 5: Specify which headers to sign (typically From, To, Subject, Date)
  • Step 6: Test by sending an email and checking headers
  • Step 7: Use email authentication checkers to verify
  • Step 8: Monitor and rotate keys periodically (every 6-12 months)

Best Practices for DKIM

  • Use 2048-bit keys as the standard
  • Keep private keys secure - never share them
  • Use descriptive selector names for easy management
  • Sign important headers: From, To, Subject, Date, Message-ID
  • Rotate keys regularly (every 6-12 months)
  • Use testing mode (t=y) when first implementing
  • Monitor DKIM pass rates in DMARC reports
  • Keep old keys active for a transition period when rotating
  • Document which servers use which selectors

Common DKIM Issues

  • DNS Record Too Long: 4096-bit keys may exceed DNS limits. Use 2048-bit instead.
  • Missing Selector: Must specify selector in email headers and DNS
  • Key Mismatch: Public key in DNS must match private key on server
  • Email Forwarding: Forwarded emails may break DKIM (this is normal)
  • Header Modification: Mailing lists that modify headers can break signatures

Instant Validation

Check and validate DKIM records with detailed key analysis

Key Generator

Generate secure RSA key pairs for DKIM authentication

Secure & Private

Keys generated locally on our server, not stored anywhere

Frequently Asked Questions

What is a DKIM record?

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify email authenticity. When you send an email, your mail server signs it with a private key. The signature is added to email headers. Receiving servers verify the signature using your public key published in DNS. This proves the email came from your domain and hasn't been tampered with.

How do I check my DKIM record?

Enter your domain name and DKIM selector in the checker tool above. We'll query selector._domainkey.yourdomain.com and retrieve your DKIM public key, parse all tags (v, k, p, t, s), validate the key structure, and display detailed results. If you don't know your selector, try common ones: default, google, k1, s1, selector1.

What is a DKIM selector?

A DKIM selector is a unique identifier that allows multiple DKIM keys for one domain. It's part of the DNS hostname (selector._domainkey.domain.com) and must match the selector specified in email headers. Common selectors: default, google (for Google Workspace), k1, s1, selector1, mail, dkim. You choose the selector name when generating keys. Different selectors allow key rotation and multiple mail servers.

How do I generate DKIM keys?

Use our DKIM generator above. It will create a secure RSA key pair (public and private keys). Add the public key to your DNS as a TXT record at selector._domainkey.yourdomain.com. Configure your mail server with the private key to sign outgoing emails. Keep the private key secure and never share it publicly. Use 2048-bit keys for the best balance of security and compatibility.

Where do I add my DKIM record in DNS?

Add a TXT record in your DNS settings with hostname: selector._domainkey (or selector._domainkey.yourdomain.com depending on your DNS provider). For example, if your domain is example.com and selector is "default", add a TXT record at default._domainkey.example.com. Paste the entire DKIM record (v=DKIM1; k=rsa; p=...) as the value. Wait 24-48 hours for DNS propagation.

What key size should I use for DKIM?

Use 2048-bit keys (recommended standard). 1024-bit is less secure and not recommended for new implementations. 4096-bit provides maximum security but may cause DNS response size issues. 2048-bit offers the best balance: secure, compatible with all mail servers, and fits comfortably in DNS responses without fragmentation.

How do I know if DKIM is working?

Send a test email to yourself or a Gmail account. View the email headers (Show Original in Gmail). Look for "DKIM: PASS" or similar. You can also use email authentication testing services. Check DMARC aggregate reports for DKIM pass rates. Use our DKIM checker to verify your public key is published correctly in DNS.

Can I have multiple DKIM records?

Yes! Use different selectors for each DKIM key. For example: default._domainkey.domain.com and backup._domainkey.domain.com. This allows key rotation (gradually switch to new keys) and multiple mail servers (each with its own key). Email services like Google Workspace use their own selectors (e.g., google._domainkey.domain.com). Each selector is a separate DNS record.

How often should I rotate DKIM keys?

Rotate DKIM keys every 6-12 months as a security best practice. When rotating: (1) Generate new keys with a new selector, (2) Add new public key to DNS, (3) Configure mail server to sign with new private key, (4) Wait a few days, (5) Remove old public key from DNS. Keep old keys active briefly during transition to avoid breaking in-flight emails.

What's the difference between DKIM, SPF, and DMARC?

SPF checks if the sending server is authorized. DKIM verifies email hasn't been tampered with using cryptographic signatures. DMARC uses both SPF and DKIM to determine authenticity and tells servers what to do with failures. All three work together: DKIM provides the strongest verification (works even if emails are forwarded), SPF is simpler but breaks on forwarding, and DMARC provides policy and reporting.