A DKIM record is a DNS TXT record that publishes the public key your mail server uses to cryptographically sign outgoing emails. Defined in RFC 6376, DKIM signatures let receiving servers verify your emails weren't tampered with in transit. Paste your DKIM TXT record value below to validate all tags and check key quality.
Load Example
Validation Checks
DKIM Tag Reference (RFC 6376)
| Tag | Name | Required | Description |
|---|---|---|---|
| v= | Version | Yes | Must be DKIM1 |
| p= | Public Key | Yes | Base64 encoded public key. Empty = revoked. |
| k= | Key Type | Optional | rsa (default) or ed25519 |
| h= | Hash Algorithms | Optional | Colon-separated list, e.g. sha1:sha256 |
| s= | Service Type | Optional | * (default, all) or email |
| t= | Flags | Optional | y = testing mode; s = strict alignment |
| g= | Granularity | Optional | Deprecated in RFC 6376 |
| n= | Notes | Optional | Human-readable notes, ignored by validators |
How to Use This DKIM Record Validator
DKIM (DomainKeys Identified Mail) is the second pillar of modern email authentication, alongside SPF and DMARC. A properly configured DKIM record ensures that email receivers can verify the cryptographic signature on your outgoing emails, proving both the sender's identity and that the message wasn't modified in transit. This DKIM record validator parses your record against RFC 6376 and checks every tag.
Step 1: Find Your DKIM TXT Record
Your DKIM record is published at selector._domainkey.yourdomain.com. For Google Workspace, the default selector is usually "google" or check Settings > Gmail > Authenticate email. For Microsoft 365, look up selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com. Use the DNS Records Checker tool to retrieve the TXT record value, then paste it here.
Step 2: Understand the Validation Checks
The validator runs seven checks. The most critical are: the version tag must be "DKIM1"; the p= tag (public key) must be present and contain valid Base64; and the k= tag must be "rsa" or "ed25519". For RSA keys, the validator estimates the key length from the Base64 data — a 1024-bit key is the minimum, 2048 bits is recommended for new deployments. Keys shorter than 1024 bits are flagged as inadequate. Testing mode (t=y) is flagged as informational — it means DKIM is in test mode and failures won't be enforced.
Key Length and RSA Security
RSA DKIM keys come in different sizes. A 1024-bit RSA key (about 172 Base64 characters in p=) is the minimum and is considered weak by current standards. A 2048-bit key (about 344 Base64 characters) is the current recommendation and provides strong security for the foreseeable future. Some providers use 4096-bit keys for maximum security. This validator estimates key length from the Base64 length of the p= value: approximately 173 bytes of Base64 = 1024 bits, 345 bytes = 2048 bits, 689 bytes = 4096 bits.
Completing Your Email Authentication Stack
DKIM alone is not sufficient — for full email authentication coverage, you need SPF, DKIM, and DMARC all working together. SPF tells receivers which servers can send for your domain. DKIM proves the message content wasn't tampered with. DMARC ties them together with an enforcement policy and reporting. Use the SPF Record Validator to check your SPF record and the DMARC Record Validator to validate your DMARC policy.
FAQ
What is a DKIM record and what does it do?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows receiving mail servers to verify that an email was actually sent by the domain it claims to be from and that the message content was not altered in transit. It works by adding a cryptographic digital signature to outgoing emails (done by your mail server) and publishing the corresponding public key as a DNS TXT record. When a receiving server gets an email, it retrieves the DKIM public key from DNS and uses it to verify the signature in the message headers.
What does this DKIM validator check?
This validator parses your DKIM TXT record value against RFC 6376 and checks: that the version tag is DKIM1; that the required p= public key tag is present; that the public key value is valid Base64 (or empty for a revoked key); that the k= key type is either 'rsa' or 'ed25519'; that any unknown or misspelled tags are flagged; that the RSA key length is adequate (1024 bits minimum, 2048+ recommended); and whether the key is in testing mode (t=y) which means it won't be enforced.
Where do I find my DKIM record to validate?
Your DKIM record is published as a DNS TXT record at a specific selector._domainkey.yourdomain.com subdomain. The selector is a string you (or your email provider) chose when setting up DKIM. Common selectors include 'default', 'google' (for Google Workspace), 'selector1' (for Microsoft 365), and 's1' or 's2'. You can find your selector by looking at the DKIM-Signature header in any email you've sent, or in your email provider's DKIM setup page. Then look up the TXT record at that DNS subdomain and paste the value here.
What does an empty p= tag mean in a DKIM record?
An empty p= tag (p=) in a DKIM record is intentional and means the key has been revoked. When a domain wants to revoke a DKIM key (e.g., after a security incident or key rotation), they set p= to an empty value. This tells receiving mail servers to reject emails signed with that key. This validator will flag an empty p= tag as a revoked key rather than an error — it's valid DKIM syntax but means no emails can be verified with that key.
Is my data safe when using this tool?
Yes. This DKIM record validator runs entirely in your browser using client-side JavaScript. Your DKIM record data is never sent to any server or stored anywhere. All parsing and validation logic runs locally on your device.
What is the difference between RSA and Ed25519 DKIM keys?
RSA is the traditional DKIM key type and is universally supported by all mail servers and clients. RSA DKIM keys should be at least 1024 bits, with 2048 bits being the current recommendation for security. Ed25519 is a newer elliptic curve key type added in RFC 8463 that offers stronger security with much shorter keys (256 bits provides more security than RSA-2048). However, Ed25519 is not yet supported by all mail infrastructure, so RSA 2048-bit keys remain the safest choice for maximum compatibility.