23 years from Stockholm
Free email infrastructure tool

DKIM key tester — selector validation and key length estimation

Type a domain and a selector. The browser queries DNS over HTTPS for the TXT record at selector._domainkey.yourdomain.com, parses every tag in the published key (v, k, p, t, h, s, n), estimates the public key size in bits, and flags the issues we see most often — weak 1024-bit keys, testing-mode flags left in production, missing key data, revoked keys with empty p tags, syntax errors, and truncated records that exceed the 255-character TXT string limit. No account required; the lookup runs entirely in your browser.

Check a DKIM selector

Enter the domain and the selector. Common selectors: google (Google Workspace), selector1 / selector2 (Microsoft 365), k1 (Mailchimp), s1 / s2 (most ESPs). If unsure, send yourself a test message and check the s= value in the DKIM-Signature header.

DNS over HTTPS via cloudflare-dns.com · No data sent to our servers

What the record actually does

DKIM is the cryptographic signature on the message — the proof that the headers and body have not been altered since the sending MTA signed them with its private key

When a message leaves a properly configured sender, the outbound MTA computes a hash over selected headers (From, To, Subject, Date, plus a few others) and the message body, signs that hash with a private key, and adds a DKIM-Signature header containing the signature, the signing domain, the selector, the canonicalization mode, and a few other fields. When the message arrives at a receiver, the receiver reads the selector and signing domain from the DKIM-Signature header, queries DNS for selector._domainkey.signingdomain.com to retrieve the public key, recomputes the hash, and verifies the signature against the public key. If verification succeeds, DKIM passes; if anything along the path tampered with the signed headers or body, the hash no longer matches and DKIM fails.

The DKIM TXT record itself is short. The required tags are v=DKIM1 (version, always DKIM1) and p=BASE64_PUBLIC_KEY (the public key in base64-encoded DER format). Common optional tags are k=rsa or k=ed25519 (key type, default rsa per RFC 6376), t=y (testing mode — receivers treat failures as if no DKIM existed), t=s (strict alignment — signing domain must match the i= identity exactly, no subdomain matching), h=sha256 (allowed hash algorithms, default permits all current ones), s=email (restrict signing to email use), and n=text (notes for human readers, ignored by receivers).

Key length is where the 2026 standards diverge from defaults that still ship in older provider documentation. NIST formally deprecated 1024-bit RSA keys for new applications in 2013 and disallowed them entirely for federal use by 2019. RFC 8301 from January 2018 raised the DKIM minimum to 1024 bits and recommended 2048; verifiers must reject signatures from keys under 1024 bits. Google's bulk sender guidance from February 2024 recommends 2048-bit, Microsoft Outlook's May 2025 enforcement does the same, and Amazon SES rotates its managed keys at 2048-bit. A 1024-bit DKIM key does not break authentication outright in 2026 — the signature still validates if the math works — but it reads to receivers as a domain configuration that has not been touched since before 2018, which contributes to the broader trust scoring that decides marginal inbox placement.

The other knob is rotation. RFC 6376 explicitly recommends rotating DKIM keys periodically; the operational guidance from major receivers and DKIM tooling vendors converges on 6 to 12 months. Rotation matters because a private key that leaks (from a hosting provider breach, a misconfigured backup, a former employee with admin access) lets an attacker sign messages that pass DKIM for your domain until you revoke the key. Rotating limits the exposure window. The tool above shows you what is currently published; rotation is what you do when the key is older than 12 months or you have any reason to suspect compromise.

Anatomy of a DKIM record

Every tag the tester parses, what it means, and what value you should typically use

Example 2048-bit RSA record

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA[…+392 chars of base64…]QIDAQAB
v=DKIM1

Version identifier. Always DKIM1. If present, must be the first tag. Receivers that find this tag with any value other than DKIM1 ignore the record entirely.

k=rsa | ed25519

Key type. Default rsa per RFC 6376. ed25519 per RFC 8463 produces smaller keys and signatures but support among receivers is uneven in 2026 — keep RSA as the safe default.

p=BASE64_PUBLIC_KEY

The public key, base64-encoded DER format. An empty p= tag signals a revoked key — receivers treat any signature claiming this selector as invalid. RSA 1024-bit keys are ~216 base64 characters; 2048-bit are ~392; 4096-bit are ~736.

t=y · t=s · t=y:s

Flags. y = testing mode (receivers do not apply DKIM failure consequences — leftover after deployment is a common mistake). s = strict alignment between the signing domain and the i= identity. Remove y once you are in production.

h=sha256

Allowed hash algorithms. RFC 8301 deprecated sha1; sha256 is required. Omitting h means "any supported algorithm" which is effectively sha256 in current implementations.

s=email | *

Service type. Default * allows any service. email restricts the key to email use. Rarely set in practice — the default is fine for nearly all senders.

n=notes

Human-readable notes. Ignored by receivers. Some teams use it to record the rotation date or the team that owns the selector — useful for ops but invisible to mail flow.

g=identity

Granularity, restricting the key to signing for a specific local-part. Deprecated by RFC 6376 and ignored by modern receivers — do not use.

Common issues the tester catches

The eight problems we see most often when running this check across customer domains

No record at the selector path

The most common cause of a failed DKIM check. Either the selector name does not match what the sending MTA is using, the record was never published, or DNS propagation has not completed. Verify the selector by checking the s= value in a real DKIM-Signature header from your domain. If the record was just added, allow up to 48 hours for full propagation.

Empty p= tag (revoked key)

A record with p= and nothing after is the DKIM-defined way to revoke a key while preserving the record. Receivers treat any signature claiming this selector as invalid. This is the right thing to do for a compromised or retired key — but only once you have stopped signing with it. If the record is empty and you are still signing with this selector, every message is failing DKIM.

1024-bit RSA key

Still functional in 2026 but reads as outdated. NIST deprecated 1024-bit RSA for new applications in 2013 and disallowed it for federal use by 2019. Google's 2024 bulk sender guidance and Microsoft Outlook's May 2025 enforcement both recommend 2048-bit. Rotate to 2048: generate a new key, publish under a new selector, switch sending to sign with the new selector, leave the old record live for 3-5 days for in-flight messages, then mark the old record as revoked (empty p=) and finally remove it.

Testing flag t=y left in production

Common after a hurried deployment. With t=y, receivers treat DKIM failures as if no DKIM existed — fine for testing, dangerous in production because it disables the failure consequences DMARC relies on for alignment. Remove t=y once your monitoring confirms signatures are validating correctly.

Truncated or split key

A single TXT string is capped at 255 characters by DNS protocol. A 2048-bit RSA public key is around 392 base64 characters plus the surrounding tags, so the full record runs ~440-470 characters. The record must be published as multiple quoted strings within a single TXT record (most DNS providers handle this transparently; some require manual splitting at exactly 255-character boundaries). If the key appears to end at 255 characters with no closing tag, that is the symptom.

Stale key past rotation window

Keys older than 12 months are flagged as candidates for rotation. The tester cannot tell key age from the record alone — but if you know when you generated it and it has been more than a year, rotate. Generate a new key under a new selector, dual-sign during a transition window, then retire the old selector.

Syntax errors in the record

Missing semicolons between tags, invalid characters in the base64 (whitespace pasted in from a generator output), malformed flag values. Receivers parse strictly; one syntax error causes the record to be ignored. The most common error we see: pasting a key from a web UI that wrapped the base64 across multiple lines, then publishing without removing the line breaks.

No DKIM record at all for any selector

Some domains never published any DKIM key — they rely on SPF alone. Since the February 2024 Gmail/Yahoo bulk sender requirements, this is no longer viable for senders at scale; both receivers require DKIM signing for bulk mail. Microsoft Outlook followed in May 2025. If your aggregate DMARC reports show DKIM failures across the board for your sending domain, the answer is to set up signing — not to fix this one record.

Key rotation done the boring, correct way

Rotation is dual-sign during the transition, then retire — never delete a live key and replace it in one DNS edit

The pattern that works without breaking deliverability: generate the new 2048-bit RSA keypair, publish the public key in DNS under a new selector (call it s2 if the old one was s1), wait 24-48 hours for DNS propagation, configure your sending MTA to sign with the new key, let production run for a few hours, then confirm via a fresh DKIM check (the tool above, or by reading the DKIM-Signature header in a delivered message) that the new selector resolves and validates. At this point you are signing with the new key and the old key is no longer being used. Leave the old selector live for 3-5 more days to cover any in-flight messages that were signed before the switchover. Then mark the old record as revoked by replacing the key with an empty p=, and after another 7 days, remove the record from DNS entirely.

The mistake to avoid: deleting the old DKIM record at the same time you change your MTA configuration. Messages in transit between MTAs can be in flight for hours; messages held in spool queues during outages can be in flight for days. Any message signed with the old key whose DNS lookup happens after you deleted the record fails DKIM, fails DMARC alignment, and lands in spam — for legitimate mail you sent yourself. The dual-sign-then-retire pattern adds two weeks of overhead and eliminates the failure mode entirely.

Frequently asked questions

Questions teams ask when running the DKIM tester for the first time

I don't know what selector my sending service uses. How do I find it?

+

Three reliable ways. First, send yourself a test message from the domain you want to check, then view the raw message source (in Gmail: "Show original"; in Outlook: "View source"). Find the DKIM-Signature header and look for the s= tag — its value is the selector. Second, check the sending service's admin console: Google Workspace shows the selector under Admin → Apps → Google Workspace → Gmail → Authenticate Email; Microsoft 365 uses selector1 and selector2 by default; most ESPs document their selectors in setup guides.

Third, if you have multiple sending services and want to find all of them, run the tester against the common ones for your stack: Google Workspace uses google, Microsoft 365 uses selector1 and selector2, Mailchimp uses k1 or k2, SendGrid uses s1 and s2, Mailgun uses a domain-specific selector, Postmark uses 20XXXX numeric selectors. Each match tells you that service is configured for your domain.

Should I be on 2048-bit or 4096-bit DKIM?

+

2048-bit. The case for 4096-bit is real on paper — more entropy, longer time horizon against advances in cryptanalysis — but in operational practice two things push against it. First, a 4096-bit key produces a public key record around 736 base64 characters; once you add the surrounding tags and account for the 255-character TXT string limit, you are reliably above the threshold where some DNS providers and some receivers handle the multi-string TXT record inconsistently. Second, the marginal security improvement at 4096-bit over 2048-bit is not load-bearing for any threat model that DKIM addresses — DKIM signs at the boundary of email transit, where the relevant attack window is hours to days, not the decade-scale considerations that motivate 4096-bit elsewhere.

The practical answer: 2048-bit for everything unless you have a specific compliance requirement that mandates 4096. Rotate every 6-12 months, and the rotation cadence does more for security than the extra key bits ever would.

Why does the tester estimate the bit length instead of giving an exact number?

+

Computing the exact RSA modulus length requires decoding the base64 into ASN.1 DER and parsing the BIT STRING. The tester runs entirely in the browser without bundling an ASN.1 parser, so it estimates the key size from the base64 string length: RSA 1024-bit keys produce ~216 base64 characters (give or take a few for the ASN.1 header), 2048-bit produces ~392, 4096-bit produces ~736. The mapping is accurate within standard RSA key sizes; the estimate will tell you correctly whether you are at 1024, 2048, or 4096, even if it cannot tell you whether the modulus is exactly 2048 bits or 2080 bits. For practical purposes — the question is "1024 or 2048?" not "is it exactly 2048?" — that level of precision is what you need.

Is Ed25519 DKIM safe to deploy in 2026?

+

Carefully, with dual-signing as the safety net. RFC 8463 defined Ed25519 for DKIM in 2018, and the cryptography is genuinely strong — Ed25519 keys are 256 bits (much smaller than RSA), signatures are 64 bytes, and verification is faster. The problem is receiver-side support: not every MTA, every spam filter, every legacy enterprise gateway in the world has caught up. Some receivers still treat an Ed25519-only signed message as DKIM-fail because their software does not know how to verify it.

The deployment pattern that works: sign with both RSA-SHA256 (under one selector) and Ed25519 (under another). Receivers that understand both will validate the stronger of the two; receivers that only know RSA will validate RSA and ignore Ed25519. You get the benefits of newer cryptography without the failure mode for older receivers. Set this up only after you have RSA working cleanly — Ed25519 alone is not safe to deploy.

DKIM passes but DMARC is still failing alignment. Why?

+

DMARC alignment requires that the signing domain (the d= tag in the DKIM-Signature header) match the From header domain — exactly under strict alignment (adkim=s in your DMARC record), or organizationally under relaxed alignment (adkim=r, the default, where mail.example.com aligns with example.com). DKIM can pass cryptographically while still failing DMARC alignment if the message is signed by a different domain entirely — common when a third-party sender (a newsletter platform, a CRM that sends on your behalf) signs with their own domain instead of yours.

The fix is having that sender sign with your domain — most modern transactional ESPs and marketing platforms support a "signed with your domain" mode, often called "branded sending" or "signed-by-customer DKIM". Setup involves publishing the platform's DKIM public key in your DNS under a selector they specify, then enabling their corresponding signing mode in their admin console. After that, the DKIM-Signature header shows d=yourdomain.com and DMARC alignment passes.

How often should I run this check?

+

Whenever the key would normally come up — at initial setup, before and after every key rotation, when onboarding a new sending service that needs its own selector, and quarterly as a maintenance check to catch silent failures. The most common reason a previously-working DKIM record stops working is a DNS migration: the team moves DNS to a new provider, the new provider's interface handles long TXT records differently from the old one, and the record gets truncated or quoted incorrectly during the import. A quarterly DKIM check across every selector you use catches the regression within weeks rather than after a DMARC report shows mail flowing to spam for two months.