Logo
Free DKIM Checker Tool

DKIM Checker

Enter any domain and selector to check its DKIM record. We validate the signature, inspect key strength, detect selectors, and flag anything that could weaken your email authentication.

Common selectors include: google, selector1, selector2, s1, k1, default

What Your Results Mean

Understanding Your DKIM Check

Here's what each result means and what to do next.

DKIM Pass

Your DKIM signature is valid and properly configured

A passing result means your DKIM record exists, your public key is published correctly, and your key size and hash algorithm meet current security standards. Receiving mail servers can verify that messages from your domain haven't been tampered with in transit. To complete your email authentication, make sure SPF and DMARC are also configured.

  • Valid DKIM signature found
  • Public key is published and accessible
  • Key size meets current security standards
  • Hash algorithm is secure
Check Your DMARC NextCheck Your SPF
Common DKIM Issues

Common DKIM Problems and How to Fix Them

These are the DKIM problems we see most often. If your check flagged any of these, here's what they mean and how to fix them.

Weak Key Size

The most common DKIM weakness

DKIM keys that are 1024 bits or shorter are increasingly vulnerable to brute-force attacks. Major providers like Google and Microsoft recommend 2048-bit keys as the minimum. A weak key means your DKIM signature could eventually be forged — undermining the entire point of signing your emails.

1024-bit keys are considered weak by modern standards2048-bit RSA is the current recommended minimumFix: generate a new 2048-bit key pair and update your DNS
Coming Soon

Missing DKIM Record

No public key to verify against

If there's no DKIM TXT record in DNS for the selector your email service uses, receiving servers have no public key to verify your signatures against. This means every DKIM check fails — and if you have a DMARC policy set to quarantine or reject, those messages may never reach the inbox.

The selector's TXT record doesn't exist in DNSWithout a public key, receivers can't verify signaturesFix: publish the DKIM TXT record your email provider gave you
Coming Soon

Selector Misconfiguration

Wrong selector breaks verification

DKIM selectors are the bridge between a signed email and its public key in DNS. If the selector in outgoing email headers doesn't match a published DNS record, verification fails silently. This is especially common when migrating email providers or adding new sending services — the old selector stays in the headers but the DNS record has changed.

Each email service uses its own selector (e.g. s1, google, k1)Wrong selector = failed verification even with a valid keyFix: confirm the selector with your provider and update DNS
Coming Soon

No Key Rotation

Static keys are a growing risk

DKIM keys that never change give attackers more time to compromise them — and once compromised, they can sign forged emails that pass verification. Regular key rotation limits the window of exposure. Most organizations should rotate DKIM keys at least annually, using new selectors each time and retiring the old ones.

Static keys become more vulnerable over timeCompromised keys allow forged signatures indefinitelyFix: rotate keys periodically and retire old selectors
Coming Soon
Why It Matters

Why DKIM Matters for Your Business

DKIM is the cryptographic layer of email authentication. Without it, your emails can be altered in transit, your domain can be impersonated, and your deliverability takes a hit.

Emails Get Tampered With in Transit

Without DKIM, there's no way for receiving servers to verify that your message wasn't altered between send and delivery. Attackers can modify content, inject links, or change attachments — and the recipient has no way to tell.

Your Domain Gets Impersonated

DKIM proves that an email was actually sent by your organization. Without it, anyone can send messages that look like they came from your domain — and your recipients won't know the difference.

DMARC Alignment Breaks

DMARC requires either SPF or DKIM to pass and align with the From domain. If DKIM is missing or misconfigured, you're relying entirely on SPF — and if that fails too, your DMARC policy kicks in and rejects or quarantines your own legitimate email.

Deliverability Suffers Silently

Major inbox providers use DKIM as a trust signal in their spam filtering. Missing or broken DKIM doesn't always trigger a visible bounce — your emails just quietly get deprioritized or filtered, and you only notice when open rates drop.
See How iO DMARC Helps
Complete Protocol Coverage

Check Your Full Email Authentication with iO™ DMARC

SPF is one piece of the puzzle. Use these tools to check the rest of your email authentication stack.

SPF

SPF Checker

Validate your SPF record and confirm which servers are authorized to send on your behalf. SPF works alongside DKIM to verify that messages come from approved sources.

Check SPF
DMARC

DMARC Checker

Check your DMARC policy and alignment. DMARC uses your DKIM signature to verify message integrity, and tells receivers what to do when verification fails.

Check DMARC
BIMI

BIMI Checker

See if your domain qualifies to display your brand logo in supported inboxes. BIMI requires DMARC alignment, which depends on a valid DKIM signature.

Check BIMI
MTA-STS

MTA-STS Checker

Check whether your domain enforces encrypted email delivery. MTA-STS protects messages in transit, complementing the message integrity that DKIM provides.

Check MTA-STS
TLS-RPT

TLS-RPT Checker

Verify your TLS reporting setup. TLS-RPT alerts you when sending servers fail to establish secure connections with your domain, so you catch delivery issues early.

Check TLS-RPT
Email Audit

Email Authentication Audit

Get a complete picture of your SPF, DKIM, DMARC, BIMI, and MTA-STS configuration in one report. See what’s working, what’s broken, and what to fix first.

Run Free Audit

Ready to secure your email domain?

DKIM is just one layer. iO™ DMARC manages your entire email authentication stack, so you don’t have to.

Get Started with iO™ DMARCSchedule a Demo
Learn More

Learn About DKIM

Want to go deeper? These guides explain how DKIM works, how to set it up, and how to troubleshoot common problems.

DKIM Record Examples

Real-world DKIM record examples for Office 365, Google Workspace, and common third-party senders — with selector and key breakdowns.
Coming Soon

DKIM Failure Troubleshooting

Step-by-step fixes for the most common DKIM failures: missing records, weak keys, selector mismatches, and signature verification errors.
Coming Soon

Managed Email Authentication

Don't want to manage DKIM yourself? Our iO DMARC service configures, hosts, and monitors your SPF, DKIM, and DMARC records for you.
Coming Soon
Explore iO DMARC

Ready to Fix Your Email Authentication?

Found issues with your DKIM record? Or just want someone to handle email authentication so you don't have to think about it? Let's talk.

Want DKIM Managed for You?

iO™ DMARC keeps every DKIM selector visible in one dashboard, handles key generation and rotation, and tracks alignment per sender so signatures do not quietly start failing.

See How iO™ DMARC Handles DKIM
Free DKIM record review
Full SPF, DKIM, and DMARC setup
Ongoing monitoring included