Free DKIM record checker
Look up your domain's DKIM public key record, verify your selector configuration, and catch setup errors before they hurt deliverability.
Full authentication monitoring (SPF, DKIM, DMARC) is available in the ValidPeak dashboard.
DKIM key types
Recommended
2048-bit RSA keys offer strong security and are widely supported by mail servers. Recommended for all new DKIM configurations.
Weak — upgrade recommended
1024-bit RSA keys are considered weak by modern standards. Upgrade to 2048-bit if your email provider supports it.
Modern & compact
Ed25519 elliptic curve keys are smaller and faster than RSA. Growing in adoption but not universally supported yet.
What does this DKIM checker verify?
- ✓DNS TXT record existence for the specified selector and domain
- ✓Public key presence and key type (RSA or Ed25519)
- ✓Key size and whether it meets recommended minimums (2048-bit RSA)
- ✓Record syntax errors that would prevent proper DKIM verification
- ✓Whether the selector is published and propagated globally
- ✓Recommended upgrades if your key strength is below modern standards
Frequently asked questions
What is a DKIM record?
DKIM (DomainKeys Identified Mail) uses a public/private key pair to sign outgoing emails. The public key is published as a DNS TXT record under a selector subdomain (e.g., google._domainkey.yourdomain.com). Receiving servers retrieve this key to verify the digital signature in the email header, confirming the message was sent by an authorized source and wasn't altered in transit.
What is a DKIM selector?
A DKIM selector is a label that identifies which DKIM public key to use. It appears in the DNS record as `selector._domainkey.yourdomain.com`. A domain can have multiple selectors, allowing different sending services (e.g., Google Workspace, Mailchimp, SendGrid) to each have their own DKIM key.
Does DKIM alone prevent email spoofing?
No. DKIM signs the message body and selected headers, but it doesn't check whether the signing domain matches the From address the recipient sees. You also need DMARC to enforce that alignment. SPF covers the envelope sender. Together, SPF + DKIM + DMARC provide complete protection against domain spoofing.
My DKIM check shows 'no record found'. What should I do?
If no DKIM record is found, your emails are sent without a DKIM signature. This weakens deliverability and leaves your domain unprotected. Contact your email service provider to get the DKIM public key and publishing instructions, then add the TXT record to your DNS. After publishing, it may take up to 48 hours for DNS propagation.