What is a DKIM selector?

A DKIM selector is the DNS label used to find the public key for a signed message, usually at selector._domainkey.example.com.

What qualifies as a DKIM record?

A DKIM record is normally a TXT record beginning with v=DKIM1 and containing tags such as k= and p=, or a CNAME pointing to a hostname that publishes that TXT record.

Why can multiple DKIM records be a problem?

A DKIM selector should publish one clear TXT record or one CNAME target. Multiple TXT records, or TXT and CNAME together, can make validation fail or behave unpredictably.

DKIMPROBLEM.comDKIM Record Analysis

About DKIM

DKIM stands for DomainKeys Identified Mail. It is an email authentication method that allows a sending system to attach a cryptographic signature to a message and publish the matching public key in DNS.

Receiving mail servers can then validate that signature against the DNS record published at a selector such as selector1._domainkey.example.com.

Why It Is Used

DKIM helps receivers confirm that a message was signed by a system authorized to use the domain's private key and that key parts of the message were not altered in transit.

It is one of the main building blocks of modern email authentication alongside SPF and DMARC, and it is especially important for domain alignment under DMARC.

How It Goes Wrong

DKIM records often cause problems when selectors are missing, rotated incorrectly, published with broken syntax, or left using weak RSA key sizes. Problems also occur when the selector in the sending platform does not match the selector published in DNS.

Common failure points include no DNS record at the selector, multiple TXT records at the same selector, malformed DKIM tags, empty public keys, and 1024-bit RSA keys where 2048-bit keys are preferred.

Why DKIM Problems Matter

If a DKIM record is missing, invalid, or too weak, legitimate email may fail DKIM validation. That can contribute to delivery problems, filtering, junk placement, or DMARC alignment failures.

Because DKIM is often relied on for DMARC, DKIM issues can affect deliverability even when the sending service itself is otherwise functioning normally.

What This Tool Does

This site helps inspect a DKIM selector record, detect common syntax issues, confirm whether a selector is published, and review warnings such as multiple records or weak RSA key sizes.

It is intended as a troubleshooting and analysis aid. Results should always be independently checked before any production DNS or email changes are made.

Relevant RFCs

These specifications define the core standards behind the checks on this site.

RFC 6376 - DomainKeys Identified Mail (DKIM) Signatures
RFC 8301 - Cryptographic Algorithm and Key Usage Update to DKIM
RFC 8463 - A New Cryptographic Signature Method for DKIM

Common Problems Checked

Missing selector record
TXT and CNAME records published at the same DKIM host
Multiple TXT records for one selector
Malformed DKIM tags or an unparseable public key
RSA keys below 2048 bits

Improve Delivery

This site lets you check your DKIM configuration - you can also check the SPF and DMARC records. Correct sender authentication is very important, but it is also only a starting point. For more information and practical tips on improving email delivery, visit Outgoing.email.