HomeToolsNetwork & DNS › DKIM Lookup

DKIM Lookup — Verify Your DKIM DNS Record

Email auth

Verify the DKIM public key published in DNS for any domain. Enter a domain and selector — we query the live DNS from our server and return the key type, strength, and raw TXT record.

Enter a domain and selector to look up the DKIM public key.

More email security tools: SPF Checker DMARC Checker DNS Lookup

About DKIM Lookup

DKIM Lookup is a free DNS tool for verifying the DKIM (DomainKeys Identified Mail) public key published in your domain's DNS. Enter a domain name and a DKIM selector, and the tool queries {selector}._domainkey.{domain} from our server-side DNS resolver — bypassing any local cache — and returns the raw TXT record, parsed key details (version, key type, key strength in bits), and a validity badge.

DKIM is the second of the three email authentication standards — alongside SPF and DMARC — that prove email genuinely came from your domain and has not been tampered with in transit. Mail servers use your public key (published in DNS) to verify the cryptographic signature your sending server adds to each outgoing email. A 2048-bit RSA key is the current standard; a 1024-bit key is technically valid but considered weak. A missing or malformed DKIM record is a common cause of email deliverability failures and DMARC alignment failures.

What a DKIM selector is

Unlike SPF (always at _spf.domain) and DMARC (always at _dmarc.domain), DKIM records live at a path that includes a user-defined selector. This lets a domain publish multiple DKIM keys — one per sending service — so Google Workspace, SendGrid, Mailchimp, and any custom mail server can each have a separate key. The selector appears in the DKIM-Signature: header of every outgoing email as the s= field. Common selectors: Google Workspace uses google, SendGrid uses s1, Mailchimp uses k1, Postmark uses pm.

Using DKIM Lookup alongside SPF Checker and DMARC Checker

For complete email authentication coverage, use all three tools together: SPF Checker to validate the IP authorization policy, DKIM Lookup to confirm the public key is published and valid, and DMARC Checker to verify the enforcement policy that ties both together. A common diagnostic flow is to check DKIM first (it is the most specific, requiring both the correct selector and domain), then SPF if DKIM is absent, then DMARC to see the overall enforcement posture.

Common use cases

  • Verifying DKIM after configuring Google Workspace — After enabling DKIM signing in the Google Admin console and publishing the TXT record in DNS, an admin uses DKIM Lookup with selector "google" to confirm the record has propagated and the key is valid. The tool returns the full RSA 2048-bit public key, confirming the DKIM setup is complete before sending test emails.
  • Diagnosing DMARC failures from a transactional email provider — A developer notices DMARC aggregate reports showing alignment failures from SendGrid. They use DKIM Lookup with selector "s1" (SendGrid's default) to verify the public key is published. The tool returns "Not Found", confirming DKIM was never configured in SendGrid — which explains why emails fail DMARC alignment despite passing SPF.
  • Confirming DKIM key rotation has propagated — An email administrator rotates the DKIM signing key after a security review. They use DKIM Lookup every few hours to check when the new key appears in DNS, and to confirm the old selector is no longer resolving once the TTL expires. The tool confirms both the old and new selector states during the cutover window.
  • Auditing DKIM coverage across multiple sending services — A security engineer audits DKIM coverage for five services (Google Workspace, Mailchimp, SendGrid, Postmark, and a custom SMTP server). They use the quick-select chips to check each provider's common selector against the domain, identifying which services are not yet DKIM-signed before the domain advances to p=reject DMARC policy.

How to use this tool

  1. Enter your domain name in the Domain field (e.g., example.com) — the bare domain, not "www." or a subdomain.
  2. Enter the DKIM selector for your mail provider in the Selector field. Use the quick-select chips for common providers: "google" for Google Workspace, "s1" for SendGrid, "mailchimp" for Mailchimp, "postmark" for Postmark. If unsure, check a sent email's headers for the "s=" field in the DKIM-Signature header.
  3. Click "Look up DKIM" to run the DNS TXT lookup at {selector}._domainkey.{domain} from our server.
  4. Review the result: a "Valid ✓" badge with RSA key type and 2048-bit strength means DKIM is correctly configured. "Not Found" means no record exists at this selector — verify the selector name or wait for DNS propagation. "Syntax Error" means a record was found but is malformed — contact your mail provider.

Frequently asked questions

What is a DKIM record and why does it matter?

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to outgoing emails. The sending mail server signs each email with a private key; receiving servers verify the signature using the public key published in your domain's DNS. A valid DKIM signature proves the email genuinely came from your domain and has not been tampered with in transit, which reduces the chance of it being flagged as spam or rejected.

What is a DKIM selector?

A DKIM selector is a label that identifies which public key to use when verifying an email signature. It lets a domain publish multiple DKIM keys — one per sending service — so you can have separate keys for Google Workspace, SendGrid, Mailchimp, and so on. The selector is included in the DKIM-Signature header of each outgoing email. Common selectors: Google Workspace uses "google", SendGrid uses "s1", Mailchimp uses "k1".

How do I find my DKIM selector?

Open any email sent from your domain and view its full headers (in Gmail: "Show original"; in Outlook: "View message source"). Look for a header line starting with "DKIM-Signature:". Inside it, find the "s=" field — that value is your selector. For example, "s=google" means your selector is "google". If you set up DKIM through your sending provider's dashboard, they will have told you the selector during setup.

What does "Valid ✓" mean in the DKIM result?

Valid means a TXT record exists at {selector}._domainkey.{domain} that starts with v=DKIM1 and contains a non-empty p= (public key) field. This confirms DKIM is configured for this selector on your domain. Any email your mail server signs with the matching private key will pass DKIM verification at receiving servers.

My DKIM lookup shows "Not Found" — what should I check?

First, verify the selector name is correct. It must match exactly what your mail provider configured — selectors are case-sensitive. Common mistakes: using "google" when the actual selector is "google2048", or leaving out the version suffix. Second, allow DNS propagation time — a newly added DKIM TXT record can take up to 48 hours to appear globally. Third, confirm you entered the bare domain (e.g., example.com) not a subdomain.

Related Network Tools

Open another DNS or network check in one click.

Live

OG Tag Previewer

Enter any URL to see how it will appear as a social share preview on Facebook, LinkedIn, and Twitter/X. Checks og:title, og:description, og:image, and all Open Graph meta tags.

Open tool
Live

DNS Lookup

Check DNS records for a domain using a live resolver in your browser.

Open tool
Live

MX Lookup

Find the mail servers configured for a domain.

Open tool
Live

NS Lookup

View authoritative nameservers for a domain.

Open tool
Live

TXT Lookup

Inspect TXT records such as SPF and domain verification values.

Open tool
Live

CNAME Lookup

Resolve canonical hostname aliases for a domain or subdomain.

Open tool
Live

SOA Lookup

Inspect SOA parameters such as serial, refresh and retry.

Open tool
Live

CAA Lookup

Verify which certificate authorities can issue certificates for a domain.

Open tool