Skip to content
Pricing RU Sign In
RU

DKIM Key Generator

Create an RSA key pair for DKIM and get a ready-to-use DNS TXT record.

TL;DR:

DKIM Checker validates a domain's DKIM signature. Finds the public key in DNS (selector._domainkey.example.com), validates format, checks key size (≥ 2048-bit recommended). Shows selectors for major ESPs: Gmail, Outlook, Mailgun, SendGrid.

e.g. mail, google, dkim. Used in the DNS record name.

Public KeyDKIM key in DNS TXT record
Key LengthRSA-1024, 2048, or Ed25519
Quick TestDomain + selector = result
ValidationSyntax and parameters of DKIM TXT

Why teams trust us

DKIM
signature check
SPF
SPF + DMARC audit
DNS
TXT record check
Free
no limits

How it works

1

Enter domain and selector

2

Fetch DKIM TXT record

3

Validate public key

What is DKIM?

DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.

Selector-based Check

Specify domain and DKIM selector — get the public key and its parameters.

Key Analysis

RSA/Ed25519 key length, hash algorithm, flags, and validity period.

Recommendations

If key < 2048 bits — we issue a warning and key rotation instructions.

Instant Result

Direct DNS query in seconds — no waiting for TTL.

Who uses this

Email marketers

pre-send verification

Sysadmins

mail server setup

Security

phishing protection audit

Developers

email deliverability debug

Common Mistakes

Using 1024-bit key1024 bits is considered weak. Gmail and Outlook require at least 2048 bits.
Not rotating keysSame key for years — risk of compromise. Rotate keys every 6–12 months.
Wrong selectorEach ESP uses its own selector. Ensure the correct key is in DNS for each.
Not checking after ESP changeWhen changing email service, always verify the new provider's DKIM.

Best Practices

Use 2048-bit keysThis is the current recommended minimum. Ed25519 is a more modern alternative.
Set up DMARC with DKIMWithout DMARC, even correct DKIM signing doesn't protect from Display-From spoofing.
Check after migrationWhen changing DNS provider, DKIM records are often lost. Check immediately after.
Document all selectorsKeep a list of all DKIM selectors — useful during rotation and auditing.

Get more with a free account

DKIM check history and DNS monitoring for domain record changes.

Sign up free

What is DKIM and Why Does It Matter for Email Deliverability?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, allowing receiving servers to verify the message was sent by an authorised domain and was not modified in transit. The signature is published as a TXT record in DNS under a selector subdomain — for example, mail._domainkey.example.com. Without DKIM, emails are more likely to be flagged as spam or rejected by major providers such as Gmail and Outlook.

Save & track URLs you check Free account · 24/7 checks · alerts via Telegram, email, Slack — sign up to monitor any URL you test here.
Free Sign Up

Related tools

Email CheckDNS LookupDNSBL CheckSSL Check

Learn more

How-to

Glossary

Research

Frequently Asked Questions

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method using digital signatures. Protects against email spoofing.

How to set up DKIM?

Generate keys with our tool, add a TXT record to your domain DNS. Detailed instructions on the page.

What key size to choose?

We recommend 2048 bits — optimal balance of security and compatibility. 1024 is outdated, 4096 may not fit in a TXT record.

Related guides

Longer-form reading on this topic from the knowledge base.

Automate this check

Set up continuous monitoring and get an alert when something breaks. No manual runs to remember.

Start free

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation