What tools check DKIM records?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've set up DKIM, your DNS records are published, and now you want to confirm everything is actually working. The good news: there are several solid tools for this. The slightly annoying news: they check different things, so one passing doesn't always mean you're done.
Here's the core distinction worth understanding. Some tools check whether your DKIM record exists and is formatted correctly in DNS. Others verify that your mail server is actually signing outbound emails with that key. Both matter. A record can exist perfectly in DNS while your ESP has DKIM signing turned off. The record check passes. Emails still fail authentication.
Tools that check the DNS record
MXToolbox DKIM Lookup is the go-to for most senders. You enter your domain and selector, and it tells you whether the record exists, whether the key is properly formatted, and whether the key length looks healthy (2048-bit is what you want). It's fast and free.
dmarcian DKIM Inspector does similar work but gives you more detail on the key structure itself. Worth running if MXToolbox throws an error you can't interpret.
From the command line, you can query it directly with:
dig TXT selector._domainkey.yourdomain.com
Replace "selector" with your actual selector name (your ESP usually tells you what this is). If you get a TXT record back with v=DKIM1; k=rsa; p=... in it, the record is published. If you get nothing, it isn't.
Tools that check actual signing
mail-tester.com is the most useful end-to-end test. You send a real email to a temporary address it gives you, and it tells you whether the received message carries a valid DKIM signature. This is the one test that catches the scenario above, where DNS looks fine but your server isn't signing. If mail-tester shows a DKIM fail while MXToolbox shows the record is there, the problem is almost always on the sending side, not the DNS side. Check your ESP's DKIM signing settings.
You can also check headers manually. Send a test email to a Gmail address, open the message, click "Show original", and look for dkim=pass in the Authentication-Results header. That's a clean confirmation straight from a major mailbox provider.
What to look for when you run these checks
- The record exists at the right selector and domain
- The public key starts with
v=DKIM1and has a validp=value - Key length is 2048-bit (1024-bit is considered weak now)
- No line breaks or truncation in the key (this happens with some DNS providers)
- Outbound emails show
dkim=passin received headers
Run these checks any time you rotate your DKIM key, add a new sending domain, or switch ESPs. It takes two minutes and it saves a lot of head-scratching later. You can also use our free DKIM Record Lookup to check your record without touching the command line. And if something looks off and you're not sure what it means, just ask us.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.