Skip to main content

DKIM Checker

DKIM check and lookup with live DNS query - fix DKIM failures fast

Why is your DKIM failing? Enter your domain and selector for a complete DKIM check with DNS lookup, key validation, and error detection.

The selector appears in the DKIM-Signature header of your emails (s= tag). Leave "default" if you don't know it.

Verify your DKIM configuration in seconds

DKIM (DomainKeys Identified Mail) is one of the pillars of email authentication. Properly configured, it proves to receiving servers that your emails come from an authorized system and were not altered in transit.

Misconfigured, DKIM becomes a silent deliverability killer.

CaptainDNS's DKIM Inspector verifies your DNS record exactly as receiving servers see it. No assumptions. No shortcuts. The real DNS state of your domain.


How does DKIM work?

DKIM answers a simple question for the receiving server:

"Can I cryptographically trust this message?"

The 3-step process:

  1. Signing: Your sending server signs each email with a private key
  2. Publication: Your domain publishes the corresponding public key in a DNS TXT record
  3. Verification: The receiving server retrieves the public key and verifies the signature

If the DNS record is missing, malformed, truncated, or published under the wrong selector, verification fails - even if your ESP indicates everything is correct.


How to use the inspector in 3 steps

Step 1: Identify domain and selector

  • Domain: Your sending domain (e.g., captaindns.com)
  • Selector: The DKIM key identifier (e.g., google, selector1, s1)

How to find the selector?

  • In the headers of a sent email, look for DKIM-Signature: s=selector
  • In your ESP's documentation (Google Workspace, Microsoft 365, etc.)

Step 2: Run the inspection

Enter the domain and selector above. The tool performs a DNS query to:

selector._domainkey.captaindns.com

Step 3: Analyze the results

The inspector displays:

  • The raw record as published in DNS
  • Decoded tags (version, key type, public key)
  • Detected errors with explanations and recommendations
  • DMARC compatibility (domain alignment)

What the DKIM Inspector checks

The tool goes beyond a simple DNS query. It verifies whether your DKIM configuration is operational, not just present.

CheckDescription
ExistenceThe TXT record exists for the specified selector
TXT formatThe record is a valid TXT (not an orphan CNAME)
SyntaxRequired tags (v, k, p) are present and correct
Public keyThe key is complete, readable, and properly base64 encoded
Key lengthRSA 2048 bits minimum recommended
PropagationThe record is visible from public DNS servers

When DKIM looks correct but still fails

This is one of the most common cases in production.

Problem 1: Wrong selector

Symptom: The inspector doesn't find the record

Diagnosis: You're querying google._domainkey.captaindns.com but the record is under selector1._domainkey.captaindns.com

Solution: Check the exact selector in your email headers (DKIM-Signature: s=...)

Problem 2: Truncated key

Symptom: public_key_parse_error or invalid signature

Diagnosis: The public key was cut during copy-paste in the DNS interface

Solution: Republish the complete key. A 2048-bit RSA key is about 400 characters.

Problem 3: Multiple conflicting records

Symptom: lookup_multiple_dkim error

Diagnosis: Multiple TXT records exist for the same selector

Solution: Delete obsolete records, keep only the correct one.

Problem 4: CNAME vs TXT

Symptom: lookup_cname_alias error

Diagnosis: The record is a CNAME pointing to your ESP, but the target doesn't exist or doesn't resolve

Solution: Verify the CNAME target is correct and active at your provider.

Problem 5: Incomplete DNS propagation

Symptom: The inspector sees the record, but some recipients don't

Diagnosis: The TTL hasn't expired on all DNS servers yet

Solution: Wait for complete propagation (up to 48h depending on previous TTL).


DKIM alone is not enough

DKIM is essential, but doesn't work in isolation.

ProtocolRoleRelationship with DKIM
SPFDefines who can sendIndependent but complementary
DKIMProtects message integrity-
DMARCDefines what to do if authentication failsRequires aligned SPF or DKIM

A valid DKIM record not aligned with DMARC can still result in quarantined or rejected emails. DMARC alignment verifies that the DKIM signature domain (d=) matches the email's From: domain.


Difference between syntax check and DNS inspection

AspectSyntax checkerInspector (this tool)
InputCopy-pasted DKIM valueDomain + selector
MethodLocal analysisReal DNS query
WhenBefore publicationAfter publication
DetectsFormat errorsPropagation, resolution, conflicts

Recommended workflow:

  1. Syntax: Use the DKIM syntax checker before publication
  2. Publication: Add the TXT record to your DNS zone
  3. Inspection: Use this inspector to confirm propagation

FAQ - Frequently asked questions

Q: Why is my DKIM failing?

A: DKIM failures occur when: 1) the selector is incorrect or doesn't exist, 2) the public key is truncated or malformed, 3) multiple conflicting DKIM records exist, 4) DNS propagation is incomplete. Use this DKIM checker to identify the exact cause.


Q: What is a DKIM selector?

A: The selector is an identifier allowing a domain to publish multiple DKIM keys simultaneously. It's part of the DNS name: selector._domainkey.captaindns.com. Each ESP or sending system can use its own selector, enabling key rotations and multi-provider configurations.


Q: My ESP says DKIM is valid, but the inspector finds an error. Why?

A: ESPs validate their internal configuration, not necessarily what's publicly visible in DNS. The inspector checks what receiving servers actually see - that's the only thing that matters for deliverability.


Q: Is it safe to test my records?

A: Yes. The tool only performs read-only DNS queries. No emails are sent. No modifications are made to your configuration.


Q: DKIM is valid, but my emails go to spam. Why?

A: DKIM validity is necessary but not sufficient. Inbox placement also depends on: SPF, DMARC alignment, IP/domain reputation, sending behavior, and message content.


Q: How often should I check my DKIM configuration?

A: Check after every DNS change, ESP migration, or key rotation. Periodic production checks are recommended, especially with multiple sending providers.


Q: How do I know if DKIM is aligned with DMARC?

A: DKIM alignment verifies that the d= domain of the DKIM signature matches the email's From: domain. The inspector indicates whether your configuration is compatible with DMARC alignment.


Complementary tools

ToolPurpose
DKIM Syntax CheckerValidate a DKIM value before DNS publication
DKIM GeneratorGenerate a DKIM key pair and DNS TXT record
SPF InspectorCheck your SPF record
DMARC InspectorTest your DMARC policy
Email Header AnalyzerDiagnose authentication failures on a received email

Useful resources