DKIM Lookup Tool
Check any DKIM selector and read its public key. Pull the TXT record under selector._domainkey, confirm the key is present and report the key type.
This DKIM lookup tool checks any selector and pulls the public key record it points to. Hand it a domain and a selector and it reads the TXT record that hides under selector._domainkey, where DKIM stashes the key receiving servers use to verify the signature on your mail. Without the selector you are poking around blind, so the tool reports whether a record was found, whether the public key (p=) is present, and what key type (k=) it declares, then prints the full record. It is the bit worth re-checking whenever a message bounces or lands in spam, because half the time a wrong or missing selector is the whole problem. Grab the s= value off a real email if you are unsure which one to type.
Queries run through the PeopleAreGeek lookup service. We log nothing.
DKIM Lookup Tool: Check DKIM Selector and Public Key Record
Hand me a domain and a selector. I'll pull the DKIM record. The catch with DKIM is the record hides under selector._domainkey.example.com, so without the selector you're just poking around blind. Inside it sits the public key receiving servers use to check the signature on your mail. It's the bit I always end up re-checking when something bounces, honestly, because half the time that's where the problem is.
What is a DKIM selector?
The selector is basically a label. It tells the receiving server which key to grab. You can publish more than one at a time, which is the whole trick behind rotating keys without breaking yesterday's mail. The annoying part? Everybody names theirs differently. I've hit default, google, the selector1 / selector2 pair, k1, plus a heap of provider-specific ones that read like keyboard mashing. No standard anywhere. So you go hunting.
How to find your selector
- Start with your provider's DNS setup docs. They nearly always name the selector outright, and that's the fastest way in.
- Docs being vague? Open a message you've already sent and read its DKIM-Signature header. The s= value is your selector, sitting right there in plain sight.
- Same header gives you d=, the signing domain. Paste d= into the domain box and s= into the selector box. That's it.
Frequently asked questions
Why does my DKIM lookup return no record?
Most of the time it is the wrong selector, so try a couple of others before you panic. It is also possible the record was never published, or DNS has not propagated yet and the void will fill in within an hour. Some providers stash the key under a hostname you would never guess. When in doubt, grab the s= value off a real email you sent and trust that over whatever you typed from memory.
What is a DKIM selector?
The selector is a label that tells the receiving server which key to grab. You can publish more than one at a time, which is the whole trick behind rotating keys without breaking yesterday mail. Everybody names theirs differently: default, google, the selector1 and selector2 pair, k1, plus many provider-specific ones. There is no standard, so you go hunting.
How do I find my selector?
Start with your provider DNS setup docs, which nearly always name the selector outright. If the docs are vague, open a message you already sent and read its DKIM-Signature header. The s= value is your selector and the d= value is the signing domain. Paste d= into the domain box and s= into the selector box.
Does DKIM replace SPF?
No, you want both. SPF says which servers are allowed to send for your domain. DKIM proves the message was not tampered with on the way over. They are two different jobs and do not overlap much. DMARC sits on top, ties the pair together, and tells receivers what to do when one of them fails. Run all three.