Look up a DKIM selector, validate the DKIM DNS TXT record, inspect the public key and check key type, strength and revocation status.
DKIM (DomainKeys Identified Mail) lets a sending server sign outgoing mail with a private key. This DKIM record checker looks up the matching public key is published in DNS as a TXT record at <selector>._domainkey.<domain> , so receivers can verify the signature and confirm the message wasn't altered in transit.
The selector is the part you have to know — a domain can publish many keys (one per provider, or rotated over time), each under its own selector. There's no way to list them from DNS, so you supply the selector printed in a message's DKIM-Signature: header (the s= tag) or in your mail provider setup screen.
The record itself is a set of tag=value pairs: v=DKIM1 (version), k (key type — rsa or ed25519), and p (the Base64 public key). An empty p= means the key was revoked. Prefer 2048-bit RSA or Ed25519 — 1024-bit keys still validate but are considered weak.
This tool validates the DKIM DNS record and public key. It does not verify a specific email message signature; that requires the original message headers and body.
A DKIM record checker looks up the public key published at selector._domainkey.domain. It validates the DKIM DNS TXT record, parses tags such as v, k, and p, and checks whether the public key is present and usable.
A selector identifies which DKIM key a mail system used to sign a message. You can find it in the s= tag of a DKIM-Signature header or in your mail provider setup instructions.
The selector may be wrong, the record may not have propagated, or the TXT value may be published at the wrong hostname. The expected hostname is selector._domainkey.example.com.
No. This tool checks the DKIM DNS record and public key. It does not verify a full email message signature because that requires the message headers and body.