DNS Studio tool

Check DKIM records clearly.

Look up a DKIM selector, read the key, and see whether your email signing is set up correctly — in plain English or full technical detail.

30 common selectors100% client-sideEasy & Tech modes

Leave the selector blank to sweep 30 common selectors.

More DKIM Studio checks

What this check means

DKIM (DomainKeys Identified Mail) lets a domain put a cryptographic signature on the email it sends. The receiving server fetches the domain’s public key from DNS and uses it to confirm two things: the message genuinely came from that domain, and it was not altered on the way. The public key lives in a TXT record at a name built from a selector — for example selector1._domainkey.example.com.

This tool reads that record for you. Give it a domain and a selector and it fetches the exact record, decodes the public key, and measures the key length. Leave the selector blank and it sweeps 30 selectors commonly used by mail providers and reports every key it finds. Everything runs in your browser over DNS-over-HTTPS — we never see the domains you check.

The verdicts follow one simple rule set: a valid record with a 2048-bit or stronger key is Passed; a working but weaker key — typically 1024-bit — is a Warning; a record that cannot verify mail (bad key data, or a key below the minimum receivers accept) is Failed; and if nothing is published at the name, the result is Not found.

Common DKIM issues

How to fix them

Most fixes follow the same path: generate a fresh key, publish it under a new selector, point your mail server or sending service at it, and confirm with a check. Our record generator creates the key pair in your browser and gives you the exact TXT record to paste into your DNS host. If you use a provider such as Google Workspace or Microsoft 365, the provider generates the key and tells you which records to publish — the checker here confirms you published them correctly.

When replacing a key, do not delete the old record straight away. Mail signed minutes before the switch still needs the old key to verify. The safe sequence is covered step by step in how to rotate DKIM keys.

Technical reference

A DKIM key record is a TXT record of tag=value pairs separated by semicolons (RFC 6376 §3.6.1). The tags this tool parses:

Tag Meaning Notes
v Version Recommended; must be DKIM1 and first if present.
k Key type rsa (default) or ed25519 (RFC 8463).
p Public key Base64. Required; an empty value means the key is revoked.
t Flags y = testing mode, s = strict domain match.
s Service type Must include email or * (the default).
h Hash algorithms Restricts acceptable hashes, e.g. sha256.

Key length is measured by base64-decoding the p= value and walking the DER structure to the RSA modulus, whose exact bit length is reported. If the key data does not parse as standard DER, the tool falls back to an estimate based on the data’s size and labels it as estimated. Ed25519 keys are always 256-bit by construction.

Related tools

DKIM is one of three signals receivers combine to authenticate mail. Check your SPF and DMARC records with the email DNS validator on dns.studio, and run a combined deliverability check — including BIMI logo records — at bimi.studio. For how the three standards fit together, read DKIM vs SPF vs DMARC.

Client-side lookups No data storage Privacy