PublicDNS Tools

DKIM (DomainKeys Identified Mail)

Learn what DKIM is, how it works, and how to fix common DKIM problems using the PublicDNS DKIM Checker.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that allows a mail server to digitally sign outgoing email messages. The receiving mail server can then verify that the message was really sent by the domain it claims to be from and that the contents were not modified during transit.

In simple terms: DKIM proves that your email actually came from your domain and was not forged or altered.

Why DKIM is important

  • Prevents email spoofing and phishing
  • Improves deliverability to Gmail, Outlook and Yahoo
  • Required for DMARC to work properly
  • Reduces the chance your emails land in spam

Modern email providers strongly rely on DKIM. Without it, your emails may be marked as suspicious or rejected entirely.

How DKIM works (simple explanation)

  1. Your mail server signs the email with a private cryptographic key
  2. The signature is added to the email header as a DKIM-Signature
  3. The receiving mail server looks up a public key in your DNS
  4. If the signature matches → the email is trusted

The public key is stored in DNS as a TXT record on a special hostname: 

selector._domainkey.example.com

The selector allows a domain to use multiple DKIM keys at the same time.

How the PublicDNS DKIM Checker works

Our DKIM Checker queries your DNS for the DKIM public key and validates its structure. It verifies:

  • If the DKIM record exists
  • If the record format is correct
  • If the public key is readable
  • If the key length is secure

You can use it here:

Open DKIM Checker

Understanding selectors

Many email providers use different selectors:

  • Google Workspace → google
  • Microsoft 365 → selector1 / selector2
  • Mailchimp → k1 / k2

If you don't know your selector, check your mail provider documentation or your DNS records.

Common DKIM problems

No DKIM record found

The domain does not publish a DKIM public key. You need to enable DKIM signing in your email provider and add the provided DNS record.

Invalid format

The TXT record exists but is not formatted correctly. Often caused by:

  • Missing quotes
  • Broken long TXT records
  • Copy/paste errors

Key too short

DKIM keys shorter than 1024 bits are considered insecure. Modern providers require 2048-bit keys.

DKIM fails but record exists

This usually means your mail server is not signing emails, or you are sending mail through a service that is not authorized for your domain.

Relationship with SPF and DMARC

DKIM works together with SPF and DMARC:

  • SPF → verifies sending server
  • DKIM → verifies message authenticity
  • DMARC → defines policy and enforcement

For best results, configure all three.

Troubleshooting

After adding a DKIM record, DNS propagation may take up to 24 hours. If validation still fails:

  • Check for typos in the selector
  • Verify the record is a TXT record (not CNAME unless provider requires it)
  • Ensure your mail server actually signs outgoing mail

More help

See also: