{{ error }}
{{ record }}
TagValue
{{ key }} {{ val }}
DKIM Checks
{{ c.label }}
Categories: DNS , Email , Networking , Security
Export to PDF Fullscreen

Introduction

DomainKeys Identified Mail (DKIM) binds every outgoing message to the sender’s domain through a header signature. You publish a public key in DNS and your mail server signs each message body and selected headers. Receiving servers fetch the key, recompute the hash, and compare it to the signature. Matching values confirm integrity and authorised origin.

This validator lets you inspect that DNS key quickly. You enter a domain and an optional selector. The interface builds the fully qualified record name, sends a DNS‑over‑HTTPS query, then merges quoted fragments into one line. Parsed tags appear instantly with pass or fail icons so you know what to adjust before delivery.

Run this check during staging, routine monitoring, or after mailbox migrations to confirm every domain authenticates reliably, and ultimately avoid deliverability surprises caused by forgotten selectors, multi‑day DNS caching, mismatched keys, misaligned tags, signature canonicalization mistakes, unexpected whitespace, or too‑short RSA values that modern receivers distrust and flag as suspicious.

Technical Details:

The single‑page interface runs entirely in your browser. It composes a TXT request to a DNS‑over‑HTTPS service, measures latency, and formats the JSON response without external storage.

Feature Breakdown

Live TXT lookup

When you press Validate, the script builds <selector>._domainkey.<domain>, then retrieves the record. Example: default._domainkey.example.com. Caution: cached resolvers may serve stale data.

Tag parser

The response splits on semicolons to create a tag map such as p→MIGf…. Example: the k tag shows key type. Caution: missing tags produce empty cells.

Key‑length estimator

The app multiplies Base64 length by three‑quarters to approximate key bits. Example: 344 bytes equal 2752 bits. Caution: ed25519 keys are unsupported.

Pass/Fail matrix

Each rule renders a green check or red cross for instant clarity. Example: Key length ≥ 2048 bits passes for modern setups. Caution: visual status ignores revoked keys.

Performance timer

The elapsed‑time badge shows query latency in milliseconds. Example: 75 ms indicates edge caching. Caution: slow queries may hint at firewall blocks.

Step-by-Step Guide:

Follow these concise steps to verify a DKIM record.

  1. Enter your domain into the Domain field (placeholder example.com).
  2. Enter the selector into the Selector field; leave blank to use default.
  3. Click to start the lookup.
  4. Read the raw record inside the blue information banner.
  5. Scan the tag table for unexpected values check p.
  6. Review the DKIM Checks column; red icons mark failures fix before send.

FAQ:

This section answers frequently asked questions.

Is my data stored?

No. The tool runs locally and does not log or transmit entries beyond the DNS query.

Why do I receive “No DKIM record”?

The selector may be wrong, or DNS changes have not propagated. Wait up to 48 hours.

What selector should I use?

Check your mail server documentation. Common values include default, google, or a date stamp.

Does a 1024‑bit key pass?

It passes minimum requirements but upgrading to at least 2048 bits improves resilience.

Can I test multiple domains?

Yes. Change the Domain field and run Validate again. The previous result clears automatically.

Troubleshooting:

Resolve common problems quickly.

  • Critical “Lookup failed” – Check internet connection and firewall rules.
  • Red cross on “Record present” – Confirm selector value matches server configuration.
  • Key length shows 0 bits – Ensure the p tag is present and unwrapped.
  • Spinner never stops – Reload the page to reset the reactive interface.
  • Unexpected characters in tags – Remove stray quotes from TXT record.

Advanced Tips:

Apply these ideas to deepen your checks.

  • Test multiple selectors to isolate phased rollouts.
  • Compare TTL values to schedule safe record rotations.
  • Run the tool over HTTPS to avoid mixed‑content blocks.
  • Use browser dev tools to view full DNS JSON for auditing.
  • Bookmark pre‑filled URLs containing ?domain=&selector= parameters.

Glossary:

Key terms explained.

DKIM
Protocol that binds a domain to a signed email header.
Selector
Label identifying which public key to use for verification.
TXT record
DNS resource that carries arbitrary text data.
TTL
Time a DNS record stays cached before refresh.
Base64
Encoding that represents binary data using ASCII characters.

No credentials are stored. Domain and selector values are sent only to the DNS provider for resolution.

Embed this tool into your website using the following code: