Skip to main content

New

Test your email deliverability

Send a test email and get a complete diagnosis of your SPF, DKIM and DMARC authentication in seconds.

  • Real send test
  • Instant diagnosis
  • No signup required
Run the test

DKIM Checker

DKIM check and lookup with live DNS query - fix DKIM failures fast

Why is your DKIM failing? Enter your domain and selector for a complete DKIM check with DNS lookup, key validation, and error detection.

Live DNS lookup

Queries DNS exactly as receiving servers do. No simulation, no local cache - the real state of your record.

Secure key rotation

Verify that the new selector is active and functional before deactivating the old one. Avoid service interruptions.

Detailed diagnosis

Identify precisely why your emails fail: truncated key, incorrect selector, missing record, or DNS conflict.

DMARC compatibility

Verify that your DKIM signature is compatible with DMARC alignment required to protect your domain from spoofing.

Recommended actions

Each detected issue comes with precise instructions to fix it. Follow the step-by-step guide.

Verify your DKIM configuration in seconds

DKIM (DomainKeys Identified Mail) is one of the pillars of email authentication. Properly configured, it allows receiving servers to verify that your emails genuinely come from an authorized system and have not been altered in transit.

Misconfigured, DKIM becomes a silent deliverability killer.

CaptainDNS's DKIM Inspector verifies your DNS record exactly as receiving servers see it. No assumptions. No shortcuts. The real DNS state of your domain.

How does DKIM work?

DKIM answers a simple question for the receiving server:

"Can I cryptographically trust this message?"

The 3-step process:

  1. Signing: Your sending server signs each email with a private key
  2. Publication: Your domain publishes the corresponding public key in a DNS TXT record
  3. Verification: The receiving server retrieves the public key and verifies the signature

If the DNS record is missing, malformed, truncated, or published under the wrong selector, verification fails - even if your ESP indicates everything is correct.

How to use the inspector in 3 steps

Step 1: Identify domain and selector

  • Domain: Your sending domain (e.g., captaindns.com)
  • Selector: The DKIM key identifier (e.g., google, selector1, s1)

How to find the selector?

  • In the headers of a sent email, look for DKIM-Signature: s=selector
  • In your ESP's documentation (Google Workspace, Microsoft 365, etc.)

Step 2: Run the inspection

Enter the domain and selector above. The tool performs a DNS query to:

selector._domainkey.captaindns.com

Step 3: Analyze the results

The inspector displays:

  • The raw record as published in DNS
  • Decoded tags (version, key type, public key)
  • Detected errors with explanations and recommendations
  • DMARC compatibility (domain alignment)

What the DKIM Inspector checks

The tool goes beyond a simple DNS query. It verifies whether your DKIM configuration is operational, not just present.

CheckDescription
ExistenceThe TXT record exists for the specified selector
TXT formatThe record is a valid TXT (not an orphan CNAME)
SyntaxRequired tags (v, k, p) are present and correct
Public keyThe key is complete, readable, and properly base64 encoded
Key lengthRSA 2048 bits minimum recommended
PropagationThe record is visible from public DNS servers

When DKIM looks correct but still fails

This is one of the most common cases in production.

Problem 1: Wrong selector

Symptom: The inspector doesn't find the record

Diagnosis: You're querying google._domainkey.captaindns.com but the record is under selector1._domainkey.captaindns.com

Solution: Check the exact selector in your email headers (DKIM-Signature: s=...)

Problem 2: Truncated key

Symptom: public_key_parse_error or invalid signature

Diagnosis: The public key was cut during copy-paste in the DNS interface

Solution: Republish the complete key. A 2048-bit RSA key is about 400 characters.

Problem 3: Multiple conflicting records

Symptom: lookup_multiple_dkim error

Diagnosis: Multiple TXT records exist for the same selector

Solution: Delete obsolete records, keep only the correct one.

Problem 4: CNAME vs TXT

Symptom: lookup_cname_alias error

Diagnosis: The record is a CNAME pointing to your ESP, but the target doesn't exist or doesn't resolve

Solution: Verify the CNAME target is correct and active at your provider.

Problem 5: Incomplete DNS propagation

Symptom: The inspector sees the record, but some recipients don't

Diagnosis: The TTL hasn't expired on all DNS servers yet

Solution: Wait for complete propagation (up to 48h depending on previous TTL).

DKIM alone is not enough

DKIM is essential, but doesn't work in isolation.

ProtocolRoleRelationship with DKIM
SPFDefines who can sendIndependent but complementary
DKIMProtects message integrity-
DMARCDefines what to do if authentication failsRequires aligned SPF or DKIM

A valid DKIM record not aligned with DMARC can still result in quarantined or rejected emails. DMARC alignment verifies that the DKIM signature domain (d=) matches the email's From: domain.

Difference between syntax check and DNS inspection

AspectSyntax checkerInspector (this tool)
InputCopy-pasted DKIM valueDomain + selector
MethodLocal analysisReal DNS query
WhenBefore publicationAfter publication
DetectsFormat errorsPropagation, resolution, conflicts

Recommended workflow:

  1. Syntax: Use the DKIM syntax checker before publication
  2. Publication: Add the TXT record to your DNS zone
  3. Inspection: Use this inspector to confirm propagation

FAQ - Frequently asked questions

Q: What is a DKIM selector?

A: The selector is an identifier allowing a domain to publish multiple DKIM keys simultaneously. It's part of the DNS name: selector._domainkey.captaindns.com. Each ESP or sending system can use its own selector, enabling key rotations and multi-provider configurations.

Q: My ESP says DKIM is valid, but the inspector finds an error. Why?

A: ESPs validate their internal configuration, not necessarily what's publicly visible in DNS. The inspector checks what receiving servers actually see - that's the only thing that matters for deliverability.

Q: Is it safe to test my records?

A: Yes. The tool only performs read-only DNS queries. No emails are sent. No modifications are made to your configuration.

Q: DKIM is valid, but my emails go to spam. Why?

A: DKIM validity is necessary but not sufficient. Inbox placement also depends on: SPF, DMARC alignment, IP/domain reputation, sending behavior, and message content.

Q: How often should I check my DKIM configuration?

A: Check after every DNS change, ESP migration, or key rotation. Periodic production checks are recommended, especially with multiple sending providers.

Q: How do I know if DKIM is aligned with DMARC?

A: DKIM alignment verifies that the d= domain of the DKIM signature matches the email's From: domain. The inspector indicates whether your configuration is compatible with DMARC alignment.

Complementary tools

ToolPurpose
DKIM Syntax CheckerValidate a DKIM value before DNS publication
SPF InspectorCheck your SPF record
DMARC InspectorTest your DMARC policy
Email Header AnalyzerDiagnose authentication failures on a received email
DNS PropagationCheck worldwide propagation of your records

Useful resources