Free tool
DKIM Record Checker
Enter a domain and DKIM selector to fetch the published public key, confirm it parses, and verify the signing setup that lets receivers detect tampered or forged mail. Reads public DNS only.
Live DNS lookup via DNS-over-HTTPS. We only read public DNS records.
How the DKIM check works
Enter your domain and a selector, and the tool looks up <selector>._domainkey.<domain> in DNS. It confirms the record parses as DKIM (v=DKIM1), checks that a public key is published (and not empty/revoked), and reports the key type and whether testing mode is on.
Finding the right selector
The selector isn't guessable — it's set by whoever sends your mail. The reliable way to find it is to open a message you've sent, view its raw headers (try the email header analyzer), and read the s= value from the DKIM-Signature line. Then confirm the full picture with the DMARC and SPF checkers.
Frequently asked questions
What is a DKIM record and selector?
DKIM (DomainKeys Identified Mail) publishes a public key in DNS that lets receivers verify a message was signed by your domain and not altered in transit. The key lives at <selector>._domainkey.<domain>. The selector is a label chosen by your mail provider (for example 'google', 'selector1', or 'k1') so a domain can rotate or run multiple keys.
How do I find my DKIM selector?
Look at the DKIM-Signature header of a message you've sent: the s= tag is the selector and the d= tag is the domain. In a header trace you'll see something like s=google; d=yourdomain.com. Common selectors include google (Google Workspace), selector1/selector2 (Microsoft 365), and k1 (Mailchimp).
What does an empty public key (p=) mean?
If the record's p= value is empty, the key has been revoked and that selector can no longer sign or verify mail. A valid selector publishes a long base64 public key. An empty key on a selector you expect to be active is a misconfiguration to fix.
Does DKIM stop spoofing on its own?
Not by itself. DKIM proves a message was signed by the domain in the d= tag and wasn't modified, but a receiver only acts on that under a DMARC policy that requires alignment with the visible From: address. DKIM + SPF + DMARC together are what stop domain spoofing.
Related free tools
Email authentication
DMARC Record Checker
Look up a domain's published DMARC record and grade the policy that decides whether spoofed mail gets rejected.
Email authentication
SPF Record Checker
Look up and validate a domain's SPF record, including the 10-lookup limit and the all-qualifier that controls enforcement.
Awareness
Phishing Quiz
Realistic email, SMS, QR-code, voice and social scenarios. Guess phishing or legitimate, then see which red flags gave each one away.
Sign your mail. Protect your brand everywhere else.
DKIM secures email integrity. PhishEye handles the impersonation that happens on the web, in search, and on social.