Tools / DKIM Check
DKIM Check
Confirm your outgoing email is cryptographically signed and verifiable.
What does all this mean?
This tool checks whether your domain publishes DKIM keys - the cryptographic signatures that let receivers confirm your email really came from you and wasn’t tampered with.
What is DKIM, in one minute?
DKIM adds a digital signature to your outgoing mail. Receivers fetch your public key from DNS to verify that signature, which helps prove the message came from an authorized sender and was not changed in transit.
DKIM works alongside SPF, and DMARC ties them together. DKIM keys live at a provider-specific “selector”, which is why this tool scans common selectors or lets you enter yours directly.
What is a selector?
A selector is a short name your mail provider picks, such as google, selector1, or k1. The DNS record lives at selector._domainkey.yourdomain.com.
Find yours in your provider’s email-authentication or DKIM settings.
Glossary
v=DKIM1 - version marker. Usually present at the start, though some providers omit it.
k= - key type, usually rsa or ed25519.
p= - public key. If this is empty, the key is revoked and signatures using it will fail.
t=y - testing mode. Receivers may ignore DKIM failures while this flag is present.
h= - hash algorithms allowed for this key, such as sha256.
For RSA, 2048-bit keys are the current recommendation.
Related reading: Why your business email lands in spam.