How do I check if my DKIM setup is correct?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Three ways to check, in order of how much work they take. Start with the first one.
Method 1: Use a DKIM checker (30 seconds)
Paste your domain and selector name into our DKIM checker. If your ESP told you to use selector "k1" on yourdomain.com, enter both fields. The tool looks up the DNS record and confirms whether it's published and valid.
And You'll need your selector name. Find it in your ESP's DKIM settings page. It's usually labeled "DKIM selector" or "authentication selector."
Method 2: Send a test email and read the header
Send any email from your ESP to a Gmail or Outlook account you control. In Gmail, open the message, click the three-dot menu in the top right, and choose "Show original." Look for the Authentication-Results line near the top. A correct setup looks like this:
dkim=pass header.i=@yourdomain.com
If you see dkim=fail or dkim=none, the signature isn't verifying. Paste the full header into our email header analyzer for a clean breakdown without reading raw text.
Method 3: Command line lookup
But if you prefer the terminal:
dig TXT selector._domainkey.yourdomain.com +short
Replace "selector" with your actual selector name. A published record returns a long string starting with v=DKIM1. An empty response means the record isn't there.
Most common reasons it fails
The TXT record was published at the wrong subdomain (typo in the selector path), the public key has a formatting error, or the selector name in DNS doesn't match the one your ESP is signing with. Your ESP's setup guide will confirm the exact DNS path. If you're going in circles, the SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.