Free tools

DKIM Record Checker

Verify that a DKIM public key is published for a domain and selector - with revocation and key-strength checks.

Common selectors:

How this DKIM checker works

Enter a domain and a selector; the tool queries selector._domainkey.domain for TXT records over DNS from your browser. It reassembles split records, confirms a public key is present, flags revoked keys (empty p=), short 1024-bit keys, and test-mode flags.

Where the selector comes from

Open any message from the sender in question and view its raw headers. The DKIM-Signature header contains s= (the selector) and d= (the signing domain). Paste those into the checker above. To read headers easily, use our email header analyzer.

DKIM without the ceremony

When you onboard a domain to AgenticEmail, the DKIM keys are generated and the DNS records created for you (three CNAMEs), alongside SPF and DMARC. Verification is one click - or one API call - and your agents send signed mail from your own domain. Details in the docs.

Frequently asked questions

What is a DKIM record?
DKIM (DomainKeys Identified Mail) publishes a public key in DNS at selector._domainkey.yourdomain.com. Sending servers sign each message with the matching private key; receivers fetch the public key and verify the signature, proving the message came from an authorized server and wasn't modified in transit.
What is a DKIM selector and how do I find mine?
The selector is a name that lets one domain publish multiple keys (one per sending service). It appears in the DKIM-Signature header of any email you send, as the s= tag. Common defaults: google (Google Workspace), selector1/selector2 (Microsoft 365), s1/s2 (SendGrid), k1 (Mailchimp), resend, pm (Postmark), zoho.
Why does my DKIM check fail even though the record exists?
Usual suspects: checking the wrong selector, a truncated key (DNS providers that split long TXT values incorrectly), an empty p= tag (revoked key), or the signing domain not matching the record's domain. Check the s= and d= tags in an actual message header - our email header analyzer shows them.
Is DKIM enough without SPF and DMARC?
No - the three work together. DKIM survives forwarding where SPF breaks, SPF covers senders that don't sign, and DMARC ties both to the visible From address and tells receivers what to do on failure. Gmail and Yahoo's bulk-sender rules effectively require all three.
Talk to a real person