DKIM Record Validator
Check a DKIM selector's public key record, algorithm and key length.
About this tool
DKIM (DomainKeys Identified Mail) lets your mail server sign outgoing messages with a private key while publishing the public key in DNS at selector._domainkey.yourdomain.com. Enter the selector and domain and this tool fetches the record, decodes the public key and reports the algorithm, key length and overall status.
Common selectors include default, google (Google Workspace), selector1/selector2 (Microsoft 365), k1 (Mailchimp) and s1/s2 (SendGrid). The selector used by your mail is shown in the s= tag of the DKIM-Signature header.
Frequently asked questions
How do I find my DKIM selector?
Send yourself an email and view the raw headers. The DKIM-Signature header contains s=<selector> and d=<domain>. Your email provider's documentation also lists the selectors it uses.
Is a 1024-bit DKIM key still acceptable?
1024-bit keys still validate but are considered weak; 2048-bit RSA is the recommended standard. Some DNS panels require splitting a 2048-bit record into two quoted strings — that is normal and resolvers join them automatically.
What does an empty p= tag mean?
A p= tag with no value means the key has been revoked. Receivers treat signatures referencing it as invalid. Publish a new key (ideally under a new selector) to restore DKIM signing.