DKIM Checker

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication method that allows the receiving server to verify that an email was actually sent by the domain it claims to be from and that its content hasn't been tampered with during transit.

Unlike SPF, which validates the sending server, DKIM validates the message itself by attaching a digital signature to every outgoing email. This signature acts like a tamper-evident seal that proves the email is authentic and unmodified.

How DKIM Signing Works

DKIM uses public-key cryptography to sign and verify messages:

1. You generate a key pair – A private key stays on your mail server, while the public key is published in your DNS as a TXT record.

2. Your server signs outgoing emails – When you send an email, your mail server creates a unique signature by hashing specific parts of the message (headers and body) and encrypting that hash with your private key.

3. The signature is added to the email – This encrypted hash is placed in a special DKIM-Signature header, along with information about which domain signed it and where to find the public key.

4. Receivers verify the signature – The receiving server fetches your public key from DNS, decrypts the signature, and compares it to its own hash of the message. If they match, the email is verified as authentic.

Understanding Selectors

A DKIM selector is a label that allows you to publish multiple public keys for the same domain. The selector appears in both the DKIM-Signature header and the DNS record location.

For example, if your selector is mail, the public key would be published at mail._domainkey.yourdomain.com. This enables you to:

• Use different keys for different mail servers or services
• Rotate keys without disrupting email delivery
• Allow third-party services to sign on your behalf with their own keys

Common selectors include service-specific names like google, mailchimp, or sendgrid, or generic names like default or selector1.

Key Sizes and Security

DKIM keys come in different sizes, with 2048-bit keys being the current recommended minimum. Larger keys provide stronger security:

• 1024-bit – Once standard, now considered weak and should be upgraded
• 2048-bit – Current recommended minimum, provides strong security
• 4096-bit – Maximum security, though not all systems support it

Larger keys do increase DNS record size, which can cause issues with some DNS providers that limit TXT record length.

What MailHealth Checks

Our DKIM checker analyzes your configuration for:

• Record existence – Confirms a DKIM record exists for the specified selector
• Key validity – Verifies the public key is properly formatted and can be parsed
• Key size – Warns if your key is below 2048 bits
• Record syntax – Ensures all required tags are present and correctly formatted
• Common issues – Identifies problems like missing version tags or invalid key types
• Best practices – Recommends improvements to strengthen your DKIM setup

A properly configured DKIM signature builds trust with receiving servers and is essential for DMARC alignment. Together with SPF and DMARC, DKIM forms the foundation of modern email authentication.