DKIM Validator
Detect DKIM signing keys across 50+ common selectors, or enter your own selector for an exact check.
What is DKIM?
DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outgoing emails, allowing receiving servers to verify the message was sent by an authorised server and was not altered in transit. Without DKIM, emails are more likely to be flagged as spam.
How This Checker Works
We probe 50+ common DKIM selectors (google, selector1, selector2, k1, sendgrid, etc.) and automatically detect your mail provider from MX records to prioritise the right selectors. If your domain uses a custom selector, you can enter it directly for an exact verification.
Frequently Asked Questions
What is DKIM and do I need it?
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic digital signature to outgoing emails. The signature is verified by receiving servers against a public key published in your domain's DNS. Without DKIM, your emails cannot achieve full DMARC alignment, and they are more likely to be flagged as spam. Both SPF and DKIM are required for DMARC to work reliably.
What DKIM selectors does this checker test?
This tool probes 22+ common DKIM selectors including default selectors for Google Workspace (google), Microsoft 365 (selector1, selector2), Mailchimp, Sendgrid, HubSpot, Zoho, and many other popular email providers. It automatically detects your likely mail provider based on your MX records and tests the most relevant selectors first.
What does a revoked DKIM key mean?
A DKIM record with an empty p= value (p=) means the key has been intentionally revoked. Revoked keys were deliberately retired — usually after a security incident or a platform migration. If your active signing key is showing as revoked, DKIM signatures will fail verification at receiving servers, breaking DMARC alignment and potentially causing deliverability failures.
How do I set up DKIM for Google Workspace or Microsoft 365?
For Google Workspace: go to Admin Console → Apps → Google Workspace → Gmail → Authenticate email → Generate DKIM key, then add the provided TXT record to your domain's DNS. For Microsoft 365: go to the Defender portal → Email & collaboration → Policies & rules → Threat policies → DKIM, enable signing for your domain and add the two CNAME records shown. This checker will confirm the key is live once DNS propagates (allow up to 48 hours).
Why does my DKIM checker show no record found?
No DKIM record found typically means one of three things: DKIM signing has not been enabled in your email platform yet; the signing key was configured under a non-standard selector not included in this tool's list; or the DNS record was recently added and has not finished propagating (allow 24–48 hours). Try the full Email Security Score check, which tests DKIM as part of a combined audit and includes additional selector probing.