DKIM Record Lookup
Provide a selector and domain. We perform a live DNS lookup at selector._domainkey.domain and return the public key, key length, and any deliverability warnings.
What is DKIM and what is a selector?
DKIM (DomainKeys Identified Mail) is a cryptographic signature that mail servers attach to outgoing messages to prove the message has not been tampered with and that it really came from your domain. The signature is verified against a public key published as a DNS TXT record at a specific selector subdomain.
The selector is just a label that lets you publish multiple DKIM keys for the same domain (one per sending service). Google Workspace defaults to selector google. Microsoft 365 uses selector1 and selector2. SendGrid uses sX (s1, s2, etc.). Mandrill uses mandrill. The full DNS lookup path is always selector._domainkey.yourdomain.com.
How to find your DKIM selector
If you do not know your selector, look at the headers of an email you previously sent. Find the DKIM-Signature header and look for the s= parameter. That value is your selector. The d= parameter is your domain.
Common defaults: Gmail/Workspace uses google. Outlook/Microsoft 365 uses selector1 and selector2. Brevo (Sendinblue) uses mail. Mailgun uses smtp or k1. AWS SES uses a UUID-style selector starting with letters. Postmark uses 20140422172530pm. ConvertKit uses ckck-2024-MM. Most ESPs publish their selector format in their setup docs.
Key length matters more than you think
Major receivers (Gmail, Outlook, Yahoo) reject DKIM signatures with keys shorter than 1024 bits as of 2023. The current 2026 recommendation is 2048-bit RSA keys for production. 4096-bit is supported but offers diminishing returns and some DNS providers limit TXT record length, which can break a 4096-bit key without proper chunking.
If this tool returns a key length under 1024, your DKIM is effectively broken with major providers. Rotate to a 2048-bit key via your ESP's DKIM management page (Google Admin, Microsoft 365 Defender, SendGrid Senders, etc.).
Common DKIM failure modes
Empty p= value: the key has been revoked. Republish the key from your ESP. Multi-line key with truncation: your DNS provider auto-truncated the TXT record at 255 chars. Use a provider that supports proper chunking (Cloudflare, Route 53, Vercel DNS, NS1). Wrong selector: double-check the s= header in a sent email and confirm you are looking up the right selector subdomain. CNAME pointing to a stale ESP: if you migrated ESPs, the old CNAME may still be in place and override the new DKIM. Remove the old CNAME first.
Frequently asked questions
Is this DKIM lookup tool free?
+
Yes, completely free with no signup or rate limit. We perform a live DNS TXT lookup at selector._domainkey.yourdomain and parse the resulting key.
What's the difference between DKIM and SPF?
+
SPF authorizes which IP addresses can send for your domain (envelope-level). DKIM cryptographically signs each message (header-level). DMARC combines them with alignment. All three are necessary for modern deliverability.
How do I know which DKIM selector to use?
+
Send yourself an email from your domain, view the raw headers, find the DKIM-Signature line, and look for the s= parameter. That is your selector. Workspace defaults to google, Microsoft 365 to selector1/selector2, SendGrid to sX.
What's the minimum DKIM key length in 2026?
+
1024 bits is the floor at major receivers (Gmail, Outlook, Yahoo). 2048 bits is the recommended production standard. 4096 bits is supported but requires DNS-record chunking and offers minimal additional security.
Can I have multiple DKIM keys?
+
Yes, each on a different selector. This is required if you have multiple sending services (e.g. Workspace for transactional, SendGrid for marketing). Each service publishes its own selector at its own DNS path. Receivers will validate whichever selector the message was signed with.
Why does my DKIM record show as empty?
+
An empty p= value means the key was explicitly revoked. Common causes: ESP migration without removing the old record, key rotation that did not republish, or a manual revocation. Republish the current public key from your ESP's DKIM management page.
How long does DKIM take to propagate?
+
TXT records typically propagate in 5 to 30 minutes. Cloudflare and Route 53 are near-instant. Legacy registrars (some GoDaddy plans, hosting-bundled DNS) can take up to 24 hours. Use this tool to confirm propagation before activating sending.
Can DKIM keys be rotated?
+
Yes and they should be rotated every 6 to 12 months as a best practice. Most ESPs handle rotation automatically by publishing both old and new keys on different selectors during a grace period. Manual rotation requires a brief overlap window with both keys live before retiring the old one.
Stop guessing, start shipping.
Navigent runs deliverability, lead-data, and multichannel outreach in one workspace. Start free, no credit card.