| Field | Value |
|---|---|
| {{ row.label }} | {{ row.value }} |
| Tag | Value | Meaning |
|---|---|---|
| {{ row.tag }} | {{ row.value }} | {{ row.meaning }} |
| Check | Status | Notes |
|---|---|---|
| {{ row.label }} | {{ row.status }} | {{ row.note }} |
A DomainKeys Identified Mail, or DKIM, record is the DNS entry that tells receiving mail systems which public key belongs to a sending domain's selector. When that record is missing, weak, or still marked for testing, valid signatures can fail or an old key can linger longer than you expect. This validator looks up the published record and turns it into readable checks.
That matters most during first rollout and key rotation. A control panel can say DKIM is enabled while public DNS still answers with an older TXT value, a delegated alias, or a record that does not match the policy you meant to publish. Here the output is tied to the hostname that receivers can actually query.
A typical use case is checking a selector after moving from one mail provider to another. The tool assembles the full owner name, follows a published alias when one exists, and reports the version tag, key family, estimated key size, service and hash restrictions, cache time, and resolver status in one place.
That makes it easier to catch quiet publication problems before they turn into deliverability questions. If the record still carries t=y, if the hash list does not mention SHA-256, or if an RSA key sits in the older 1024-bit range, the warning appears immediately instead of hiding inside raw DNS output.
A strong result does not mean mail is currently signed, aligned, or accepted everywhere. This page reads DNS publication only. It does not inspect a live message, evaluate SPF or DMARC behavior, or prove that every resolver has dropped an earlier cached answer.
If you are checking a normal deployment, start with the selector your mail provider gave you and leave Resolver on Auto. Before you trust the rest of the page, make sure the generated FQDN matches the hostname in your provider's instructions. A single selector typo can make the whole lookup look broken.
DKIM Overview first. If Raw Record is empty or DNS Status is not 0 (NOERROR), the later checks are not the main problem yet.Tags when you want to compare the parsed record with vendor documentation or a zone-file export.Validation Checks as quick triage. A high pass count means the published record looks internally consistent, not that every message path is healthy.TTL, Resolver Used, and CNAME Target before you edit DNS. Those fields often explain propagation or delegation issues.The common misread is treating No DKIM record found as proof that DKIM itself is misconfigured. Often the record exists under a different selector, a provider has delegated the lookup through an alias, or caches have not converged after a change. When CNAME Target appears, compare that target with your provider's published hostname before you touch the TXT value.
Before you move on, check that Key Bits (p), Flags (t), and Hash Algos (h) still match the policy you intended to publish.
DKIM key records live at a DNS owner name shaped like selector._domainkey.domain. The record is a semicolon-separated tag list where v identifies the record type, p holds the public key, and optional tags such as k, h, s, and t refine how that key is meant to be used. Receiving systems use those published tags while checking message signatures, but this tool stays focused on the published key record itself.
The lookup path is straightforward and visible. The page builds the owner name from Domain and Selector, asks the chosen DNS-over-HTTPS resolver for a CNAME answer first, and then requests TXT at the alias target or at the original owner name when no alias exists. Long TXT answers are concatenated into one string before parsing, which matters because DKIM public keys are often split across multiple quoted fragments in DNS.
After parsing, the tool estimates Key Bits (p) from the Base64 text length instead of decoding the key structure. That is good enough for rough policy checks and for spotting obviously weak RSA publications. It also records TTL, lookup time, DNS Status, DNSSEC AD, and Resolver Used, so you can separate a genuinely bad record from propagation or resolver differences.
Those diagnostics matter because DKIM publication is sensitive to cache state. One resolver may still serve an older answer while another already sees the new key, and a delegated alias can move the real TXT record somewhere you were not expecting. That is why the page exposes the full chain of what it asked and what it received instead of reducing everything to one opaque score.
The pass or fail logic is deliberately narrow. It checks publication quality signals that administrators commonly want to confirm during rollout, not every nuance of the DKIM specification.
| Check | Passes when | Why it matters |
|---|---|---|
| Record present | v or p is present |
Confirms the lookup returned something that resembles a DKIM key record. |
| Version tag | v=DKIM1 |
Matches the expected DKIM key-record version. |
| Public key | p is non-empty |
Without a public key, there is nothing useful for receivers to verify against. |
| Allowed service | s is blank or contains email or all |
Reflects the package's quick service check for mail use. |
| Hash algorithms | h is blank or contains sha256 |
Highlights whether the record advertises a modern hash option. |
| Test flag | t does not contain y |
Flags a common rollout setting that many domains do not want to leave published. |
| Key family | Ed25519 when k says ed25519, otherwise RSA |
Determines which size rule the package applies next. |
| Minimum size | RSA is >= 1024 bits, or Ed25519 is exactly 256 bits |
Separates obviously weak or malformed publications from acceptable ones. |
| Recommended size | RSA is >= 2048 bits |
Marks the stronger RSA target encouraged by current operational guidance. |
The size estimate is a fast publication check, not a deep key parser. The package converts Base64 text length into an approximate byte count and then into bits.
| Symbol | Meaning | Unit |
|---|---|---|
L |
Length of the sanitized Base64 text from p |
characters |
bits |
Estimated key size shown as Key Bits (p) |
bits |
If the cleaned p value is 342 characters long, the estimate becomes 8 * floor(3 * 342 / 4) = 2048 bits. That is accurate enough for the package's threshold checks, but it should not be mistaken for a full cryptographic inspection of the key material.
| Output field | What it tells you | When it matters most |
|---|---|---|
Raw Record |
The concatenated TXT value the page actually parsed | Use it first when the parsed tags look surprising. |
DNS Status |
Resolver return code such as NOERROR or NXDOMAIN |
Helps separate bad publication from lookup failure. |
CNAME Target |
Alias followed before TXT lookup, when present | Important with hosted providers and delegated selectors. |
TTL |
Resolver-reported cache lifetime | Useful when answers differ during key rotation. |
DNSSEC AD |
Whether the resolver marked the answer as authenticated | Raises confidence in DNS integrity, not in mail-flow correctness. |
Checks |
Package-specific pass count over the rule list above | Good for triage, but not a deliverability grade. |
Use the page as a publication check, then decide whether the problem is the record itself or the path to the record.
Domain and Selector. The read-only FQDN should immediately show the exact owner name you expect to exist in DNS.Resolver on Auto. Open Advanced and pick Cloudflare, Google, Quad9, or OpenDNS only when you are comparing resolver behavior.Validate or turn on Auto validate. A successful lookup fills DKIM Overview; a failed one shows Domain is required, No DKIM record found, or Lookup failed.DKIM Overview, read Raw Record, DNS Status, Resolver Used, CNAME Target, and TTL before you focus on pass counts.Validation Checks and compare Key Bits (p), Flags (t), and Hash Algos (h) with the policy you meant to publish. If the record is RSA and the size line misses the recommended threshold, plan a rotation even if the minimum still passes.FQDN first. Correct the selector, wait out a short TTL, or verify the alias in CNAME Target. When the record looks right but behavior is still odd, use JSON to inspect the raw DNS response.The first question is whether the page actually retrieved a record. If Raw Record is present and DNS Status is 0 (NOERROR), the rest of the output is describing a real published answer rather than a guess.
Key Bits (p) >= 2048 is the stronger target, 1024 <= Key Bits (p) < 2048 is older but still above the tool's minimum, and Key Bits (p) < 1024 fails the size rule.Flags (t) contains y, the record still advertises test mode. That can be intentional during rollout, but many production domains will want to remove it later.DNSSEC AD = Yes increases confidence in the DNS answer from that resolver. It does not prove that outbound messages are signed, aligned, or passing DMARC.CNAME Target is populated or TTL is short, treat mismatched answers as a propagation question first. Verify the alias target and requery after caches have had time to expire.A domain owner checks a live selector after finishing provider setup. DNS Status returns 0 (NOERROR), Raw Record contains v=DKIM1; k=rsa; p=..., Key Bits (p) lands at 2048, and Checks shows 9 out of 9. That is the profile you want for a conventional RSA deployment: the record exists, the version is right, the key is present, and the stronger RSA threshold is met.
Another selector returns a valid RSA record, but Key Bits (p) comes back as 1024 and Checks stops at 8 out of 9. Nothing here says the record is unreadable; it says the publication is still on an older key size that misses the package's recommended threshold. The right follow-up is to schedule key rotation, not to assume the TXT syntax is broken.
An administrator types newsletter instead of the provider's actual selector and clicks Validate. The page shows No DKIM record found, Raw Record stays empty, and there is no useful pass count yet. The corrective path is to compare the generated FQDN with the provider document, then check whether the provider expected an alias under CNAME Target or whether the change is still inside the published TTL.
No. A passing result means the published key record looks healthy. It does not inspect a live message, verify a DKIM-Signature header, or test SPF and DMARC alignment.
Key Bits (p) look a little rough?Because the page estimates size from the Base64 length in p. That is enough for the tool's threshold checks, but it is not a full parser for the underlying key structure.
No DKIM record found even after enabling DKIM?The usual causes are a wrong selector, a delegated hostname you were not expecting, or cache propagation after a recent change. Check FQDN, CNAME Target, and TTL before changing the TXT content again.
The browser sends the owner-name query to the selected DNS-over-HTTPS resolver. The page does not upload message bodies, attachments, or private keys.
s tag that narrows intended service use.