Finds your DKIM selectors automatically

Free tool

DKIM checker

Find and verify any domain's DKIM records, no selector required

Free DKIM checker for any domain. Enter a domain and we auto-discover its DKIM selectors so you don't need to already know the name. See every key we find, its type and strength, and whether it is active, revoked, or misconfigured.

Enter a domain. Add a selector if you already know it; otherwise we auto-discover common ones.

The check runs in your browser via DNS-over-HTTPS. We never see message content or private keys. If we find an active selector, its name and public key metadata may be stored to speed up future checks and power domain monitoring.

How to use this DKIM checker

Three steps from a domain name to a confident answer about its DKIM setup.

  1. 1

    Enter a domain

    Type any domain into the form above. If you already know the selector, add it too for a direct check.

  2. 2

    Run the check

    With a selector, we check it directly. Without one, we fingerprint the domain's email provider and try roughly 125 common selector names via DNS-over-HTTPS from your browser.

  3. 3

    Read the verdict, keys, and any gaps

    Each selector found is graded: active, weak, test mode, revoked, or broken. Expected-but-missing selectors are called out by provider so you know exactly what to turn on.

What you can learn from a DKIM check

A DKIM check answers questions a DMARC or SPF check alone cannot. Use it to:

  • Confirm DKIM signing is actually turned on after connecting Google Workspace, Microsoft 365, or an ESP.
  • Find the selector name a provider used, without digging through raw email headers.
  • Catch a broken CNAME delegation, the most common Microsoft 365 DKIM failure.
  • Spot a weak or outdated key before a receiver starts rejecting it.
  • Verify a key was revoked correctly after rotating away from a compromised selector.
  • Audit a vendor or partner's DKIM setup before trusting mail sent on their behalf.

Understanding DKIM

What is a DKIM selector?

A selector is the label in a domain's DNS that points to one specific DKIM public key, published as a TXT record at {selector}._domainkey.{domain}. Selectors let a domain run more than one key at a time, for example one per sending platform, and rotate a key without touching any other selector.

Why some DKIM records are CNAMEs

Microsoft 365 and several other providers publish DKIM selectors as CNAME records pointing to a hostname the provider controls, rather than a direct TXT record. This lets the provider rotate the underlying key without the domain owner touching DNS. It also means a broken or deleted CNAME target silently disables DKIM until someone checks it.

1024-bit vs 2048-bit keys

RFC 8301 sets the floor: receivers must reject any DKIM key under 1024 bits. 1024-bit RSA keys still work but are considered weak against modern factoring attacks; 2048 bits or longer is the current recommendation for new keys. Ed25519 keys (RFC 8463) achieve equivalent strength at a fixed 256 bits using different cryptography.

Rotating a DKIM key

Rotating means publishing a new selector with a new key, switching the sending platform to sign with it, and only then revoking the old selector by emptying its p= tag. Revoking the old key before the new one is confirmed working breaks signing entirely, so the two steps should never happen in the same change.

Why some providers hide the selector

Amazon SES and Salesforce Marketing Cloud generate a random selector name for each domain you verify, such as a long hexadecimal label. There is no fixed name to guess and no dictionary that covers them, so a checker cannot confirm the key exists by probing. That is why this tool reports 'undetectable' rather than 'no DKIM' for those providers: the key is almost certainly there under a name only the platform knows. To see it, open the provider's DNS or sending dashboard, or paste a real message into the email header analyzer, which reads the selector straight from the DKIM-Signature header.

Frequently asked questions

What is DKIM?
DKIM (DomainKeys Identified Mail, RFC 6376) lets a sending domain cryptographically sign outgoing email. The public key is published as a DNS TXT record; the private key signs each message. A receiving server fetches the public key and verifies the signature, which confirms the message was not altered in transit and really was sent by a server holding that domain's private key.
What is a DKIM selector?
A selector is the label that tells a receiver which DKIM public key to fetch for a given signature. The DNS record lives at {selector}._domainkey.{domain}, so a selector named "google" for example.com publishes its key at google._domainkey.example.com. Domains can run several selectors at once and rotate between them.
How do I find my domain's DKIM selector?
The selector is not published anywhere on its own. It appears in the s= tag of a DKIM-Signature header on a message the domain actually sent, or in your email provider's setup documentation. This tool sidesteps that by fingerprinting your provider from your MX and SPF records and dictionary-probing roughly 125 selector names providers commonly use.
Why did my DKIM check show 'no active key'?
That verdict means we found at least one DKIM selector, but every one of them is unusable: an empty p= tag (a revoked key), an invalid record, or a CNAME that no longer resolves. Functionally this is the same as having no DKIM at all until the key is fixed or rotated.
Is a 1024-bit DKIM key secure enough?
RFC 8301 requires receivers to reject any DKIM key shorter than 1024 bits, treats 1024-bit RSA as acceptable for now but weak, and recommends 2048 bits or longer for new keys. Ed25519 keys (RFC 8463) use 256-bit keys with different math and are considered strong at that size.
Why does DKIM show 'undetectable' instead of a pass or fail?
Some providers, notably Amazon SES and Salesforce Marketing Cloud, generate random per-domain selector names that cannot be guessed or dictionary-probed. When we fingerprint one of these providers and find nothing, we report 'undetectable' rather than 'no DKIM' because the key may well exist under a selector we cannot predict. Check the sending platform's dashboard, or run our email header analyzer on a real message to see the selector it actually used.
Is this DKIM checker free?
Yes. The DKIM checker is completely free with no signup required. The check runs in your browser using public DNS-over-HTTPS resolvers, so nothing about the domain you check is stored on our servers unless a selector is found, in which case only the selector name and public key metadata may be kept to speed up future checks.