Free DKIM Validator & Selector Tester

Verify DKIM signatures, check key lengths, and get step-by-step setup guides for your email service provider.

DKIM Record Validator

Validate your DKIM record, check key strength, and ensure proper configuration

Common selectors: default, google, k1, selector1

Quick select:

DKIM Key Generator & Setup Guides

Generate RSA key pairs for DKIM authentication and follow step-by-step setup guides for popular email providers

Generate DKIM Keys

Generate RSA key pairs for DKIM authentication. The private key will sign your emails, and the public key will be published in DNS.

Your domain name

DKIM selector (e.g., 'default', 's1', or '202501')

DKIM Setup Guides

DKIM Key Rotation Best Practices

Regular key rotation is an important security practice. Here's why and how to do it:

Why Rotate DKIM Keys?

  • Limits exposure if a private key is compromised
  • Reduces the impact of cryptographic attacks over time
  • Demonstrates good security hygiene to receiving servers
  • Required by some compliance standards

Recommended Rotation Schedule:

Every 6 monthsStandard rotation for most organizations
Every 3 monthsHigh-security environments
ImmediatelyIf compromise suspected

Rotation Process:

  1. Generate new DKIM key pair with a new selector
  2. Add new public key to DNS (alongside existing key)
  3. Wait 24-48 hours for DNS propagation
  4. Configure mail server to sign with new key
  5. Monitor for 1-2 weeks
  6. Remove old DNS record

What is DKIM (DomainKeys Identified Mail)?

Overview

DKIM is an email authentication method that allows receiving mail servers to verify that an email message was actually sent by the domain it claims to be from and that the message hasn't been tampered with during transit. It uses cryptographic signatures attached to email headers.

How DKIM Works

  1. Key Generation: Your mail server generates a public/private key pair
  2. DNS Publishing: The public key is published as a DNS TXT record at selector._domainkey.yourdomain.com
  3. Email Signing: When sending emails, the server signs them with the private key
  4. Signature Verification: Receiving servers retrieve the public key from DNS and verify the signature
  5. Pass/Fail: If signatures match, DKIM passes; otherwise it fails

Understanding DKIM Selectors

A DKIM selector is a string that helps identify which DKIM key to use when verifying an email signature. It's specified in the email header and used to construct the DNS query. Selectors allow you to:

  • Maintain multiple DKIM keys for different mail streams
  • Rotate keys without service interruption
  • Identify which server or service sent the email
  • Use time-based selectors (e.g., "202501" for January 2025)

Key Length & Security

Key LengthSecurity LevelRecommendation
512 bitsInsecureNever use
1024 bitsWeakUpgrade to 2048+
2048 bitsSecureRecommended minimum
4096 bitsVery SecureBest for high-security needs

Common DKIM Issues

  • Wrong Selector: Using an incorrect selector name prevents DNS lookup
  • DNS Not Propagated: New DKIM records can take up to 48 hours to propagate
  • Weak Keys: Keys under 2048 bits are flagged by modern email receivers
  • Signature Mismatch: Email content was modified after signing
  • Expired Keys: Some organizations set expiration dates on DKIM keys
  • Missing Public Key: DNS record not configured or deleted

DKIM Best Practices

  • Use 2048-bit or 4096-bit keys (never less than 2048)
  • Rotate keys every 6-12 months
  • Use descriptive selectors (e.g., "202501-primary")
  • Keep private keys secure and never share them
  • Test DKIM signatures after any mail server changes
  • Monitor DKIM pass rates in your email analytics
  • Maintain multiple selectors for key rotation without downtime