MedhaCloud
Full Scan
MX Lookup
SPF
DMARC
DKIM
BIMI
SPF Generator
DMARC Generator
DKIM Generator

DKIM Checker

Run full email scan

About DKIM Checker

This tool auto-discovers DKIM selectors used by Google, Microsoft 365, Mailchimp, SendGrid, Mailgun, Klaviyo, and 15+ other ESPs (20+ selectors tried in parallel). For each selector found, it fetches the public key, validates RSA bit length, and flags missing or revoked keys.

How the DKIM check works

Selector discovery + public key validation

01

Auto-discover selectors

We query 20+ common selectors (google, selector1/2, k1, s1, mg, smtp, mail, default, etc.) in parallel against your domain. Most domains expose multiple keys for different vendors.

02

Fetch and validate

For each selector found, we parse the v=DKIM1 / k=rsa / p=… fields. Validates RSA key length, detects revoked keys (empty p=), and surfaces malformed records.

03

Report per-selector status

Lists every active selector with hostname, key length, status. If no selector is found, we suggest where to look in your vendor admin portal.

Common DKIM errors this catches

Why DKIM fails to authenticate your mail

No DKIM record at any selector

Domain has no DKIM key published. Gmail and Yahoo started requiring DKIM in Feb 2024 for bulk senders. Without DKIM, deliverability drops sharply.

M365: DKIM not enabled (default state)

Microsoft 365 ships with DKIM disabled. You must manually enable it in security.microsoft.com → Email & collaboration → Policies → DKIM. Common gap on freshly-migrated tenants.

Revoked key (empty p= value)

p=; or p= with nothing after means the key was revoked but never removed. Receivers treat this as a hard fail. Remove the DNS record entirely or rotate to a new selector.

Selector mismatch with email signature

You have a key published at selector1._domainkey but your mail server signs with s=mail. Signatures fail because receivers cannot find the matching public key. Sync vendor config with DNS.

DNS record split incorrectly

Long DKIM TXT records often need to be split into multiple strings. Some DNS providers join them wrong, mangling the key. Validates the assembled public key end-to-end.

Stale keys for retired vendors

You stopped using Mailgun two years ago but mg._domainkey is still in DNS. Not a security issue but adds noise to authentication reports.

FAQ

DKIM checker — common questions

What is a DKIM record?+
DKIM (DomainKeys Identified Mail) is a DNS TXT record that publishes a public key for verifying email signatures. When you send mail, your mail server cryptographically signs the message with a private key; receivers fetch the matching public key from your DKIM record and verify the signature. A passing DKIM check proves the email was sent by your domain and was not modified in transit.
What is a DKIM selector and why does it matter?+
A DKIM selector is the prefix of the DKIM DNS record — for example, "google._domainkey.example.com" uses selector "google". Each mail vendor uses its own selector: Google uses google, Microsoft 365 uses selector1 and selector2, Mailchimp uses k1, SendGrid uses s1 and s2. Our DKIM checker auto-tries 20+ common selectors so you don't have to guess which one your domain uses.
Why is my DKIM record missing?+
Common reasons: (1) DKIM was never configured at the vendor — Microsoft 365 requires you to manually enable DKIM signing per domain in the security portal, (2) wrong selector — you have keys but they're published under a non-standard selector our auto-detect missed, (3) keys were generated but DNS records were never published, (4) old vendor decommissioned but DKIM keys removed from DNS. Always verify both: vendor portal AND DNS.
Should I use RSA-1024 or RSA-2048 for DKIM keys?+
RSA-2048 is the current recommendation. RSA-1024 is still considered secure but is increasingly deprecated by major receivers. New deployments should use 2048-bit keys. If your DNS provider truncates long records, you may need to split the key across multiple strings — most DNS providers handle this automatically now.
How often should I rotate DKIM keys?+
Annually is a reasonable cadence for high-security domains. Less critical domains can rotate every 2-3 years. To rotate without downtime: (1) generate a new key with a new selector, (2) publish the new DNS record, (3) switch mail servers to sign with the new key, (4) wait 7-14 days for in-flight messages to be verified, (5) remove the old DNS record. Many vendors (Microsoft 365, Google) provide one-click key rotation in their admin portals.

Single-protocol tools

Need just one protocol?

SPF Checker
Validate Sender Policy Framework
DMARC Checker
Verify DMARC policy + reports
MX Lookup
Check MX records + priority
Full email security scan
All 7 checks in one report

Beyond Free Tools

Enterprise Cloud & IT Services

From Microsoft 365 migrations to fully managed infrastructure — we handle every layer of your IT stack.

Migration Tools We Use

Enterprise-grade tooling for every platform

  • BitTitan MigrationWizCloud-to-cloud email & data
  • Microsoft Exchange HybridOn-prem to Exchange Online
  • ShareGate DesktoolSharePoint & OneDrive
  • Microsoft Mover.ioGoogle Drive to OneDrive
  • Entra ID ConnectAD sync & hybrid identity
  • PowerShell & EWS APIAutomation & bulk ops
M365 Migration Services

Our Services

More Services

Contact Us