DKIM Checker

How to read your DKIM results

DKIM proves an email actually came from your domain and wasn't altered along the way. It works by signing each message with a private key, while the matching public key sits in your DNS for receivers to verify against. When DKIM is missing or broken, inbox providers trust your mail less — and your cold email pays the price.

The selector matters

DKIM records live at selector._domainkey.yourdomain.com, not on your root domain. That selector is assigned by whatever service sends your mail. If you don't know it, this tool tries the most common selectors automatically — but the surest way is to copy it straight from your email provider's authentication settings.

A published, strong public key

We confirm the record contains a non-empty public key (an empty p= value means the key has been revoked and DKIM will fail) and estimate whether it's 1024-bit or 2048-bit. We also flag t=y, which puts DKIM in test mode and tells receivers to ignore failures — fine during setup, but it should be removed once signing works.

DKIM works best alongside SPF and DMARC

DKIM verification feeds directly into DMARC, which is what actually enforces a policy and gives you reporting. Pair this check with the SPF checker and DMARC checker, or run the combined deliverability test for one score across all three.

We configure DKIM signing across every sending domain we build for clients and monitor it over time. Learn how our cold email infrastructure works, or read the full SPF, DKIM & DMARC guide.