DKIM Checker
What Is DKIM and How Does It Work?
DKIM (DomainKeys Identified Mail) is an email authentication standard that uses public-key cryptography to verify that an email message was sent by an authorized mail server and was not modified during transit. When a mail server sends an email with DKIM enabled, it creates a digital signature of the message headers and body using a private key. This signature is added to the email as a DKIM-Signature header.
When the receiving mail server gets the message, it extracts the selector and domain from the DKIM-Signature header and performs a DNS lookup to retrieve the corresponding public key. The public key is published as a TXT record at selector._domainkey.domain.com. The receiving server uses this public key to verify the signature, confirming that the email is authentic and has not been tampered with.
The DKIM selector is a key concept in how DKIM works. A selector is a text string that allows a domain to publish multiple DKIM keys simultaneously. This is useful for key rotation, where old keys are phased out and new keys are introduced, and for organizations that use multiple email services, each with its own DKIM key. Common selectors include "google" for Google Workspace, "selector1" and "selector2" for Microsoft 365, and "default" or "dkim" for many other email providers.
DKIM key length is an important security consideration. Keys should be at least 1024 bits, with 2048 bits now recommended as the standard. Shorter keys are vulnerable to brute-force attacks and may be rejected by some receiving mail servers. Our DKIM checker validates the key type and reports the key length so you can verify your DKIM configuration meets current security standards.
DKIM works alongside SPF and DMARC to form a complete email authentication framework. While SPF verifies which servers are allowed to send email for a domain, DKIM verifies the integrity and authenticity of individual messages. DMARC ties them together by defining what happens when messages fail either check. Use our SPF Checker and DMARC Checker to validate your complete email authentication setup.
Frequently Asked Questions
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sender to digitally sign outgoing messages. The receiving server verifies the signature using a public key published in DNS, proving the email was not altered in transit and was authorized by the domain owner.
What is a DKIM selector?
A DKIM selector is a string used to locate the DKIM public key in DNS. The full lookup is selector._domainkey.domain.com. Different services use different selectors - Google uses "google", Microsoft 365 uses "selector1" and "selector2", and others may use "default", "dkim", or custom values.
What key length should DKIM use?
DKIM keys should be at least 1024 bits, with 2048 bits recommended for stronger security. Keys shorter than 1024 bits are considered insecure and may be rejected by receiving servers.
How do I find my DKIM selector?
Check your email provider's documentation, or examine the DKIM-Signature header in a sent email and look for the "s=" tag which contains the selector. Common selectors include "google" for Google Workspace and "selector1" for Microsoft 365.