Skip to content
Pricing RU Sign In
RU

DKIM: Definition and Use Cases

By · Updated
TL;DR:

DKIM (DomainKeys Identified Mail) is a cryptographic signature added to email by the sender. The public key is published in DNS (selector._domainkey.example.com); the private key signs the message body. The recipient verifies the signature, guaranteeing the message was not modified in transit and truly came from the claimed domain.

Try it now — free →

What is DKIM

DKIM (DomainKeys Identified Mail) is a cryptographic signature added to email by the sender. The public key is published in DNS (selector._domainkey.example.com); the private key signs the message body. The recipient verifies the signature, guaranteeing the message was not modified in transit and truly came from the claimed domain.

Check DKIM online

Open Enterno.io tool →

Related guides

Public KeyDKIM key in DNS TXT record
Key LengthRSA-1024, 2048, or Ed25519
Quick TestDomain + selector = result
ValidationSyntax and parameters of DKIM TXT

Why teams trust us

DKIM
signature check
SPF
SPF + DMARC audit
DNS
TXT record check
Free
no limits

How it works

1

Enter domain and selector

2

Fetch DKIM TXT record

3

Validate public key

What is DKIM?

DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.

Selector-based Check

Specify domain and DKIM selector — get the public key and its parameters.

Key Analysis

RSA/Ed25519 key length, hash algorithm, flags, and validity period.

Recommendations

If key < 2048 bits — we issue a warning and key rotation instructions.

Instant Result

Direct DNS query in seconds — no waiting for TTL.

Who uses this

Email marketers

pre-send verification

Sysadmins

mail server setup

Security

phishing protection audit

Developers

email deliverability debug

Common Mistakes

Using 1024-bit key1024 bits is considered weak. Gmail and Outlook require at least 2048 bits.
Not rotating keysSame key for years — risk of compromise. Rotate keys every 6–12 months.
Wrong selectorEach ESP uses its own selector. Ensure the correct key is in DNS for each.
Not checking after ESP changeWhen changing email service, always verify the new provider's DKIM.

Best Practices

Use 2048-bit keysThis is the current recommended minimum. Ed25519 is a more modern alternative.
Set up DMARC with DKIMWithout DMARC, even correct DKIM signing doesn't protect from Display-From spoofing.
Check after migrationWhen changing DNS provider, DKIM records are often lost. Check immediately after.
Document all selectorsKeep a list of all DKIM selectors — useful during rotation and auditing.

Get more with a free account

DKIM check history and DNS monitoring for domain record changes.

Sign up free

Related tools

Email CheckDNS LookupDNSBL CheckSSL Check

Learn more

How-to

Glossary

Frequently Asked Questions

Do I need DKIM?

If you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation