Free account

Keep your requests in reach

Create an account in under 30 seconds to keep 6 months of history, share saved requests, and trigger email or webhook alerts on every diff.

  • 6-month searchable history
  • Diff alerts via email & webhook
  • Latency spike monitoring
Create account

Test DKIM record

Verify and understand your DKIM configuration in seconds

DKIM (DomainKeys Identified Mail) is one of the core building blocks of email authentication. When it is correctly configured, it allows receiving mail servers to verify that an email was genuinely sent by an authorized system and that its content has not been altered in transit.

When it is almost correct, however, DKIM becomes a silent deliverability killer.

The DKIM Record Inspector by CaptainDNS helps you verify your DKIM DNS records exactly as they are seen by receiving mail servers. No assumptions. No shortcuts. Just the real, public DNS state of your domain.

What a DKIM record actually does

At its core, DKIM answers a simple question for the receiving server:

"Can I cryptographically trust this message?"

To do so:

  • your sending server signs each email with a private key,
  • your domain publishes the corresponding public key in DNS,
  • the receiving server retrieves that key and verifies the signature.

If the DNS record is missing, malformed, truncated, or published under the wrong selector, the verification fails - even if your ESP says everything is fine.

What the DKIM Record Inspector checks

This tool goes beyond a basic DNS lookup. It verifies whether your DKIM setup is operational, not just present.

It checks:

  • that the DKIM record exists for the specified selector,
  • that it is published as a valid TXT record,
  • that the public key is complete and readable,
  • that the record syntax is correct,
  • and that the configuration is compatible with DMARC alignment.

Instead of a vague "valid / invalid" result, you get a clear diagnostic explaining what works, what does not, and why.

How to use the tool

  1. Enter your domain name
  2. Provide the DKIM selector used by your sending system
  3. Run the check

Within seconds, the inspector shows you:

  • the DKIM record exactly as published in DNS,
  • any detected issues,
  • and actionable hints to fix them.

The tool performs read-only DNS queries. No emails are sent. No configuration is modified.

When DKIM looks correct but still fails

This is one of the most common situations in production environments.

Typical causes include:

  • the record exists, but under the wrong selector,
  • the public key was partially copied and silently truncated,
  • multiple DKIM records conflict with each other,
  • DNS changes were applied on a secondary provider but not the primary one,
  • a DKIM key rotation was started but never completed.

The DKIM Record Inspector is designed to surface these issues before they impact inbox placement.

DKIM alone is not enough

DKIM is essential, but it does not work in isolation.

  • SPF defines who is allowed to send emails for your domain,
  • DKIM protects the integrity of the message,
  • DMARC defines what to do when authentication fails.

A valid DKIM record that is not aligned with DMARC can still result in rejected or quarantined emails. That is why CaptainDNS tools are designed to work together, using the same DNS-first approach.

Visual guides

DKIM email flow

How an email is signed, verified, and validated using DKIM and DNS.

DKIM record anatomy

An example DKIM record with its key parameters explained.

FAQ

What is a DKIM selector?

The selector is an identifier that allows a domain to publish multiple DKIM keys at the same time. It is part of the DNS name, for example:

selector1._domainkey.example.com

Each sending system or provider can use its own selector, which makes key rotation and multi-provider setups possible.

Why does my ESP say DKIM is valid, but this tool reports an error?

Most ESPs validate their internal configuration, not necessarily what is publicly visible in DNS.

The DKIM Record Inspector checks what receiving servers actually see when they query your domain, which is the only thing that matters for real-world delivery.

Is it safe to test my DKIM records?

Yes. The tool only performs DNS queries in read-only mode. No emails are sent and no changes are made to your configuration.

My DKIM is valid. Why do my emails still go to spam?

DKIM validity is required, but not sufficient on its own. Inbox placement also depends on SPF, DMARC alignment, IP and domain reputation, sending behavior, and message content.

How often should I check my DKIM configuration?

You should verify your DKIM records after any DNS change, email provider migration, or key rotation. Periodic checks in production environments are also strongly recommended.

DKIM is not complex, but it is unforgiving. A single missing character in DNS is enough to break authentication for every email you send.

The DKIM Record Inspector gives you a clear, DNS-level view of your configuration, so you can fix issues before they turn into deliverability problems.