DKIM Signature CheckerValidate Cryptographic Email Auth

Check DKIM records to verify selector configuration, validate public keys, and ensure proper cryptographic email signature setup.

Recent Searches

🔒History stored locally.
No history

DKIM Signature Validation

DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify email authenticity and integrity. Sending mail servers sign outgoing messages with a private key; receiving servers validate signatures using public keys published in DNS TXT records.

DKIM Selectors

DKIM uses selectors to support multiple keys per domain. Selectors are arbitrary names chosen by the domain owner. Common selectors include default, google, k1, and selector1.

Public keys are published at selector._domainkey.example.com. For example, Google Workspace uses google._domainkey.example.com.

DKIM Record Structure

A DKIM TXT record contains tags separated by semicolons. Key tags include v=DKIM1 (version), k=rsa (key type), and p=... (public key in Base64).

Example: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBi...

Key Rotation & Security

Rotate DKIM keys annually or when private keys may be compromised. Use 2048-bit RSA keys minimum (1024-bit is deprecated). Multiple selectors enable zero-downtime rotation—publish the new key, update mail server configuration, then remove the old key after emails signed with it have been delivered.

DKIM signatures include a timestamp and optional expiration. This prevents replay attacks where attackers resend old signed messages. Most implementations set 48-72 hour expiration windows.