ZonoTools
Home/Developer/DKIM Checker

DKIM Checker

Signing domain
DKIM selector

Record host: selector._domainkey.domain

DNS lookups send the domain (or DKIM/DMARC host name) to this site's DNS API. Format checks for headers run locally in your browser.

How to use

  1. Enter the signing domain (the d= domain in DKIM-Signature, usually aligned with From:).
  2. Enter the selector (s= tag from a message header or your DNS panel, e.g. google, default, s1).
  3. Click Check DKIM to query selector._domainkey.yourdomain for TXT — lookup runs only on button click.

FAQ

How do I find the DKIM selector?

In DNS, look for TXT records under *_domainkey* subdomains. In mail, open raw headers and read s= in DKIM-Signature, or use Email Header Analyzer.

What DNS name does DKIM use?

TXT at {selector}._domainkey.{domain}, for example google._domainkey.example.com.

Why is my selector not found?

Wrong selector, unpublished DNS, propagation delay, or key rotation to a new selector name.

Does this verify signatures on live mail?

No. It confirms the DNS public key record exists and looks well-formed. Signature verification happens at the receiving MTA.

What if p= is empty?

An empty public key often means the domain revoked signing for that selector while keeping the record for a transition period.

Introduction

DKIM (DomainKeys Identified Mail) lets receivers verify that message content was signed with a private key whose public half is published in DNS. A DKIM checker confirms that the right selector and public key exist before you chase dkim=fail in mail logs.

Lookups run at {selector}._domainkey.{domain} only when you click Check DKIM.

What is a DKIM DNS record?

DKIM publishes a TXT record containing:

  • v=DKIM1 — version
  • p= — base64 public key (required for active signing)
  • Optional k= (key type, often rsa), h= (hash algorithms), t= (flags), etc.

The selector is a DNS label chosen by the signer (ESP or IT). Multiple selectors can coexist during key rotation (s1, s2, google, default).

This tool does not cryptographically verify a message — it validates DNS publication and basic record shape.

Key Features

  • Separate domain and selector fields (empty by default).
  • Shows the exact lookup host (selector._domainkey.domain).
  • Button-triggered TXT fetch.
  • Reports key type, hash tags, and estimated public key size.
  • Warnings for missing p=, short keys, or uncommon key types.
  • Raw record copy for change tickets.

Common Use Cases

  • Verifying Google Workspace or Microsoft 365 DKIM CNAME/TXT after enablement.
  • Finding the active selector after ESP migration.
  • Confirming a new key is live before removing an old selector.
  • Cross-checking s= from Email Header Analyzer against DNS.

Best Practices

  • Rotate keys with a new selector; keep the old record until queues drain.
  • Align the signing domain (d=) with your From: domain and DMARC alignment settings.
  • Document selectors in runbooks — they are easy to mistype.
  • DKIM + SPF + DMARC together cover authentication and policy; MX (MX Lookup) is separate inbound routing.

Related Tools

Disposable Email CheckerSPF CheckerDMARC CheckerEmail ValidatorMX LookupEmail Header Analyzer
Explore all Developer Tools