Know your selector (e.g. google, selector1)? Enter it. Otherwise we probe the common provider selectors automatically.
How DKIM proves your mail is genuine
DKIM is the cryptographic half of email authentication. Your mail platform signs each outgoing message with a private key; the matching public key lives in your DNS. A receiving server fetches that key, checks the signature, and knows the message genuinely came from your domain and wasn’t tampered with on the way.
Sign with the private key; verify with the public key published in DNS.
Selectors — and why we probe them
Because the public key lives at selector._domainkey.yourdomain.com, you need the selector to find it — and every platform names theirs differently. Google Workspace uses google, Microsoft 365 uses selector1 and selector2, Mailchimp uses k1, and so on. If you don’t know yours, the tool above probes the common ones automatically; if you do, enter it for a definitive check.
Key strength and rotation
Use at least a 2048-bit RSA key — 1024-bit is weak and worth rotating, which the checker flags. Rotating keys periodically (publishing a new selector, switching to it, then retiring the old one) is good hygiene, and an empty public key signals a revoked selector that will cause failures.
DKIM is one leg of three
DKIM survives forwarding where SPF doesn’t, but neither protects your visible From address without an enforced DMARC policy on top, with SPF underneath. The Email Security Checker shows all three together.
🛡️ DKIM not signing correctly? Servnet configures DKIM across Microsoft 365, Google Workspace and your sending platforms as part of managed email security.
DKIM — common questions
What is DKIM?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message your mail platform sends. The matching public key is published in your DNS at selector._domainkey.yourdomain.com, so a receiving server can verify the message really came from you and wasn’t altered in transit.
What is a DKIM selector?
A selector is a label your mail platform picks so it can publish more than one key (for rotation or multiple services). The DNS record lives at selector._domainkey.yourdomain.com — for example google._domainkey, selector1._domainkey (Microsoft 365) or k1._domainkey (Mailchimp). If you don’t know yours, this tool probes the common ones automatically.
How do I find my DKIM selector?
It’s shown in your mail platform’s DKIM/authentication settings (Google Workspace, Microsoft 365, your ESP). You can also read it from the d= and s= tags of the DKIM-Signature header in any email you’ve sent. Enter it above to verify the published key directly.
What key length should DKIM use?
2048-bit RSA is the modern minimum. 1024-bit keys are considered weak and should be rotated — this checker estimates the key size and flags 1024-bit. Some providers now offer Ed25519 keys, which are short but strong; we detect those too.
What does a revoked DKIM key mean?
If a selector is published but its public key (the p= tag) is empty, that signals a revoked key — receivers will fail signatures made with it. Either re-publish the correct public key from your mail platform, or remove the selector if it’s no longer used.
Why does the all-in-one checker say no DKIM but this one finds it?
The all-in-one Email Security Checker probes a fixed list of common selectors to stay fast. If your provider uses a custom selector, enter it here for a definitive answer — that’s exactly what this dedicated tool is for.
Is DKIM enough on its own?
No. DKIM proves a message wasn’t tampered with, but only an enforced DMARC policy ties that result to your visible From domain and tells receivers what to do on failure. Run the DMARC and SPF checkers alongside this one.