DKIM Analyzer
Check and validate DKIM records for any domain. Verify your email authentication setup instantly.
Protect your forms from fake emails
While DKIM verifies sender authenticity, disposable emails still slip through. Our API blocks 280,000+ temp email domains.
Get Free API Key →What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that helps receiving mail servers verify that an email was actually sent by the domain it claims to be from and hasn't been modified in transit.
Cryptographic Signatures
DKIM uses public-key cryptography to sign outgoing emails. The private key stays on the sending server, while the public key is published in DNS for receivers to verify.
Prevents Email Spoofing
Without DKIM, anyone can forge the "From" address. DKIM signatures prove the email genuinely came from the claimed domain, reducing phishing attacks.
Improves Deliverability
Email providers like Gmail, Outlook, and Yahoo prioritize properly authenticated emails. Missing or broken DKIM records hurt your sender reputation and inbox placement.
Works with SPF & DMARC
DKIM is one part of a complete email authentication setup. Combined with SPF (Sender Policy Framework) and DMARC, it provides comprehensive protection against email fraud.
DKIM FAQ
Common questions about DKIM records and email authentication
What is a DKIM selector?
A DKIM selector is a string that helps locate the public key in DNS. Since a domain can have multiple DKIM keys (for different email services or rotation purposes), the selector specifies which key to use for verification.
Common selectors include: "default", "google" (for Google Workspace), "selector1" and "selector2" (for Microsoft 365), "k1" (for Mailchimp), and "s1" (for SendGrid). The selector is included in the DKIM-Signature header of every signed email.
How do I find my domain's DKIM selector?
The easiest way to find your DKIM selector is to look at the raw headers of an email sent from your domain. Find the "DKIM-Signature" header and look for the "s=" tag—that's your selector.
Alternatively, check your email provider's documentation. Google Workspace typically uses "google", Microsoft 365 uses "selector1" or "selector2", and other services have their own conventions.
What does a DKIM record look like?
A DKIM record is a TXT record in DNS that contains the public key and related parameters. It's published at: selector._domainkey.yourdomain.com
A typical DKIM record looks like: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSI..." where v= is the version, k= is the key type (usually RSA), and p= is the base64-encoded public key.
Why is my DKIM check failing?
Common reasons for DKIM failures include: wrong selector (try common ones like "google", "default", "selector1"), missing DNS record (DKIM not configured yet), DNS propagation delay (changes can take up to 48 hours), or the public key was rotated but DNS wasn't updated.
Also check for typos in the DNS record and ensure the TXT record isn't split incorrectly if it exceeds 255 characters.
Does DKIM prevent spam?
DKIM alone doesn't prevent spam—it only verifies that an email came from the domain it claims. A spammer can set up DKIM on their own domain and send signed spam emails that pass DKIM checks.
For comprehensive email security, DKIM should be combined with SPF (which verifies sending IP addresses) and DMARC (which tells receivers what to do with failed authentications). Even then, you'll need additional spam filtering based on content and sender reputation. To block fake signups from disposable email addresses, check out our disposable email detector or integrate our detection API.