DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails, allowing receiving servers to verify that the email was genuinely sent by your domain and has not been modified in transit. Our free DKIM verifier checks your DKIM DNS records, validates key configuration, and ensures your email signing is properly set up.
Comprehensive analysis powered by Vysiro's scanning engines
DKIM selector discovery and lookup
Public key extraction and validation
Key length analysis (1024 vs 2048-bit)
Key type verification (RSA, Ed25519)
Hash algorithm check (SHA-256)
Common selector testing (google, selector1, etc.)
Key rotation status detection
DKIM signature alignment check
Get results in seconds with our automated scanning process
Enter your domain name and optional DKIM selector
We test common selectors (google, selector1, selector2, default, dkim)
Each discovered selector's public key is extracted and validated
We analyze key type, length, and algorithm strength
Key rotation readiness is assessed
You receive a full DKIM configuration report
Everything you need to know about dkim record verifier
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to outgoing emails. The receiving server looks up the public key in DNS to verify the signature, confirming the email was sent by the claimed domain and was not altered in transit.
A DKIM selector is a string used to locate the public key in DNS. The full DNS query is selector._domainkey.yourdomain.com. Different selectors allow you to use multiple keys for different email services (e.g., Google uses 'google' as a selector).
Use at least 2048-bit RSA keys for DKIM signing. While 1024-bit keys are still common, they are considered weak and some receivers may flag them. Vysiro recommends 2048-bit RSA or Ed25519 for the strongest security.
Check your email service provider's documentation. Common selectors include 'google' (Google Workspace), 'selector1' and 'selector2' (Microsoft 365), 'default' (many providers), and 'dkim' (generic). Our tool automatically tests common selectors for you.
Common DKIM failures include: missing DNS record, incorrect selector, key mismatch between signing and DNS, message modification by forwarding servers, expired keys, or DNS update delays. Our tool helps identify the specific issue.
Rotate DKIM keys every 6-12 months as a security best practice. Use a new selector for each key rotation to allow old keys to remain valid during the transition period. Vysiro can automate key rotation monitoring and alerts.
Continue your domain security analysis
Analyze DMARC records and email authentication policies instantly.
Use toolValidate SPF records, check DNS lookup limits, and resolve include chains.
Use toolParse and analyze email headers for routing, authentication, and delays.
Use toolGet an instant composite trust score (0-1000) across 29 security categories.
Use toolGet continuous monitoring, automated fixes, proof packs, and API access. Protect your domains with Vysiro's agentless attack-surface monitor.