Is your DKIM record valid?

Enter a domain (and optionally the selector) to validate its DKIM public key: does it exist, is the key strong enough, has it been revoked. If you don't know the selector, we'll probe the ones major providers use.

Frequently asked questions

What is a DKIM selector?
A selector is the label that tells receivers where to find your DKIM public key in DNS: the key lives at selector._domainkey.yourdomain.com. Your email provider assigns it: Google uses "google", Microsoft 365 uses "selector1" and "selector2", Mailchimp uses "k1".
How do I find my DKIM selector?
Look in your email provider's DNS setup instructions. The selector is the part before ._domainkey in the record they asked you to add. You can also open any email you've sent, view the original/raw message, and find the s= tag in the DKIM-Signature header.
What key length should DKIM use?
2048-bit RSA is the current standard. 1024-bit keys still verify but are being phased out; anything shorter is considered breakable and many receivers ignore it entirely.
Why does DKIM matter for DMARC?
DMARC passes if either SPF or DKIM passes with a domain that aligns with your From address. DKIM is the more durable of the two (it survives forwarding, where SPF breaks), so a healthy DKIM setup is what keeps legitimate forwarded mail deliverable once you enforce a strict DMARC policy.