DKIM Checker and Validator

Tag	Value
{{ key }}	{{ val }}

DKIM Checks
{{ c.label }}

DomainKeys Identified Mail (DKIM) is an email-authentication method that attaches a cryptographic signature to every message. The recipient validates this signature with a public key published in DNS. A successful match confirms domain identity, deters tampering, and works alongside SPF and DMARC to protect brand reputation and inbox deliverability.

DKIM Checker and Validator lets you fetch and examine a domain’s DKIM record instantly. Enter the domain and selector; the utility retrieves the TXT value by DNS-over-HTTPS, parses each tag, and applies compliance checks that flag weak key lengths, syntax mistakes, and test flags. The tool simplifies routine audits and accelerates troubleshooting.

Validated DKIM records reduce delivery failures, prevent spoofing complaints, and satisfy security policies demanded by receiving platforms. Rapid insight into key length and configuration helps you upgrade 1024-bit keys to stronger 2048-bit pairs and remove forgotten test settings before they harm sender reputation or block marketing campaigns.

No data is transmitted or stored server-side.

Technical Details:

The tool runs entirely in your browser and performs each validation step in real time.

Queries Cloudflare’s DNS-over-HTTPS endpoint for reliable TXT lookups.
Executes all logic client-side; nothing is logged or stored remotely.
Parses tag–value pairs into a responsive table for quick scanning.
Generates a pass/fail checklist covering version, key type, length, and flags.
Displays raw record, TTL, and lookup latency for deeper analysis.
Accepts custom selectors, enabling sub-domain and multi-key audits.
Adapts layout for mobile screens using Bootstrap utilities.
Uses Font Awesome icons to visualise compliance at a glance.

Step-by-Step Guide:

Follow these steps to validate any DKIM record.

Type the base domain (for example, example.com) in the Domain field Tip.
Enter the selector or keep default unchanged for common setups.
Click Validate; the button shows a spinner while querying DNS.
Review the raw DKIM record and DNS TTL shown in the blue information box.
Scan the tag table to verify v, p, k, and other values.
Check the pass/fail list; red items need attention, green items meet guidelines.
Adjust the selector or domain and repeat to audit additional keys.

FAQ:

The answers below clarify common questions.

What is a DKIM selector?

The selector identifies which public key to retrieve from DNS. You can host multiple selectors to rotate or segment keys across services.

Why does the tool flag keys shorter than 2048 bits?

Keys under 2048 bits are now considered weak and are discouraged by major inbox providers. Rotate to 2048-bit or longer keys to maintain deliverability.

Can I test sub-domain keys?

Yes. Enter the full sub-domain (for example, mail.example.com) with its corresponding selector to validate that specific record.

Does the tool send my data anywhere?

No. All processing happens locally. Only the DNS request is sent to Cloudflare to fetch a public key that is already public by nature.

How often should I rotate DKIM keys?

Rotate keys at least annually or immediately after a suspected compromise. Frequent rotation maintains security without disrupting email flow.

Troubleshooting:

Use this checklist when something looks wrong.

Lookup failed – Confirm the domain is typed correctly and reachable.
No record found – Verify that the selector exists in DNS and propagation is complete.
Key too short – Generate a 2048-bit key pair and publish the new public key.
Test flag set – Remove t=y in production to avoid receiving-server warnings.
Mixed-case tags – Keep tag names lowercase to satisfy strict parsers.

Advanced Tips:

Go beyond basic checks with these expert practices.

Automate daily DKIM validation in CI pipelines using the tool’s query logic.
Store historical records to track key-length upgrades across domains.
Align DKIM rotation schedules with SPF and DMARC policy reviews.
Use unique selectors for third-party senders to simplify revocation.
Combine results with DMARC aggregate reports to pinpoint broken signatures.