DNS Lookup Advanced DNS Lookup
Utilities
DNS Tools DNS Lookup Advanced DNS Lookup Record Finder WHOIS Lookup DKIM Lookup DMARC Lookup Blacklist Check All DNS Tools
Analysis SPF Analyzer Analyze Email Headers Domain Profile Report Verify Email SMTP Send Client
Bulk & Enterprise Bulk Lookup DNS Explorer DNS Assistant
Home
Lookup Tools
DNS Lookup Advanced DNS Lookup Record Finder WHOIS Lookup DKIM Lookup DMARC Lookup Blacklist Check All DNS Tools
Analysis
SPF Analyzer Analyze Email Headers Domain Profile Report Verify Email SMTP Send Client
Bulk & Enterprise
Bulk Lookup DNS Explorer DNS Assistant CSV Comparison Utility
Resources
Instructions Domain Name System Email Security SPF, DKIM, DMARC About
Close

DNSai DKIM Lookup

Look up DKIM records fast.

Created by: Michael Hansen

Enter a domain name to discover DKIM records

Include known DKIM selectors if you have them

If you don't know your selectors, just search the domain and DNSai will try to find DKIM records automatically.

Look up DKIM records for any domain — whether you're verifying your own email authentication setup, auditing a sender's configuration, or troubleshooting delivery issues. DKIM works alongside SPF and DMARC to form the email authentication triad that protects your domain reputation.

Security researchers and industry groups now recommend 2048-bit RSA keys over the older 1024-bit standard. While 1024-bit keys were considered secure for years, advances in computing power mean they could theoretically be cracked. This tool shows your key length so you can verify you're using current cryptographic standards.

Automatic Selector Discovery — Scans common selectors (google, selector1, selector2, s1, k1, default, dkim) to find your DKIM records without needing to know the exact selector.
Key Length Verification — Instantly see if you're using secure 2048-bit keys or older 1024-bit keys that should be rotated.
Multi-Provider Support — Works with Microsoft 365, Google Workspace, Zoho, Mailchimp, SendGrid, and custom enterprise mail servers.

How DKIM Email Authentication Works

When you send an email, your mail server creates a cryptographic hash of the message body and selected headers, then encrypts this hash with your private key — this becomes the DKIM signature added to the email header. The receiving server extracts your selector from the signature (the s= tag), queries DNS for selector._domainkey.yourdomain.com, retrieves your public key, and uses it to decrypt and verify the signature.

A valid DKIM signature proves two things: (1) the email was sent by a server with access to your private key, and (2) the message hasn't been modified in transit. Major email providers including Gmail, Microsoft, and Yahoo check DKIM signatures — emails that fail verification are more likely to be filtered as spam or rejected outright.

Key Rotation Best Practice: Rotate your DKIM keys every 6-12 months. Publish a new key with a different selector, update your mail server, wait 48-72 hours for DNS propagation, then remove the old key. This limits exposure if a private key is compromised.

DKIM Lookup FAQ

What is DKIM and why does it matter?

DKIM (DomainKeys Identified Mail) is an email authentication standard that uses cryptographic signatures to verify that an email was sent from an authorized mail server and hasn't been tampered with in transit. When you send an email, your mail server signs it with a private key. The recipient's server retrieves your public key from DNS and verifies the signature. DKIM is essential for email deliverability — major providers like Gmail and Microsoft 365 check DKIM signatures and may reject or spam-folder unsigned messages.

Should I use 1024-bit or 2048-bit DKIM keys?

You should use 2048-bit DKIM keys. While 1024-bit keys were the standard for years, they are now considered cryptographically weak and could theoretically be cracked with sufficient computing resources. Major email providers including Google recommend 2048-bit keys, and some enterprise security policies now require them. The only downside of 2048-bit keys is that some older DNS providers have TXT record length limits, but most modern providers support them without issue. If you're still using 1024-bit keys, plan to rotate to 2048-bit as soon as possible.

How often should I rotate my DKIM keys?

Industry best practice is to rotate DKIM keys every 6 to 12 months. Regular rotation limits the exposure window if a private key is compromised and ensures you're using current cryptographic standards. During rotation, publish the new public key with a different selector, update your mail server to sign with the new private key, then remove the old public key after a grace period (typically 48-72 hours to allow for DNS propagation and cached emails). Enterprise organizations with high-security requirements may rotate quarterly.

What is a DKIM selector and how do I find mine?

A DKIM selector is a string that identifies which public key to use for signature verification. It's published in DNS as a subdomain: selector._domainkey.yourdomain.com. Common selectors include 'selector1' and 'selector2' (Microsoft 365), 'google' (Google Workspace), 's1', 's2', 'k1', 'default', and 'dkim'. You can find your selector by examining the DKIM-Signature header in any email sent from your domain — look for the 's=' parameter. This DKIM lookup tool automatically checks common selectors if you don't know yours.

Why is my DKIM lookup failing or showing no records?

Common reasons for DKIM lookup failures include: (1) Wrong selector — each email provider uses different selectors, so try the tool's automatic discovery; (2) DKIM not configured — your domain may not have DKIM set up yet; (3) DNS propagation delay — new DKIM records take up to 48 hours to propagate globally; (4) TXT record too long — 2048-bit keys may be split across multiple strings, and some DNS providers handle this incorrectly; (5) Subdomain mismatch — if you send from a subdomain, DKIM may be configured there instead of the root domain.

DKIM Lookup In Progress

DKIM record lookup takes a long time. Keep this window open, please be patient.

Copied to clipboard!