DKIMPROBLEM.comDKIM Record Analysis

About DKIM

DKIM stands for DomainKeys Identified Mail. It is an email authentication method that allows a sending system to attach a cryptographic signature to a message and publish the matching public key in DNS.

Receiving mail servers validate that signature against the DNS record published at a selector such as selector1._domainkey.example.com. The selector is chosen by the sending system, not guessed from the domain alone.

Why It Is Used

DKIM helps receivers confirm that a message was signed by a system authorized to use the domain's private key and that key parts of the message were not altered in transit.

It is especially useful when mail is forwarded, because SPF may fail after forwarding but a valid DKIM signature can survive if the message was not modified in a way that breaks the signature.

How It Goes Wrong

DKIM records often fail because the selector in DNS does not match the selector used by the sender, the platform asks for a CNAME but a TXT record is also present, or key rotation leaves old and new records tangled together.

Common failure points include no record at the selector, multiple TXT records, CNAME/TXT conflicts, malformed tags, empty or revoked public keys, and RSA keys below the commonly recommended 2048-bit size.

Why DKIM Problems Matter

If a DKIM record is missing, invalid, or too weak, legitimate email may fail DKIM validation. That can contribute to delivery problems, filtering, junk placement, or DMARC alignment failures.

Because DKIM is often relied on for DMARC, DKIM issues can affect deliverability even when the sending service itself is otherwise functioning normally.

What This Tool Does

This site checks the selector host directly, follows visible CNAME delegation, displays up to four TXT records when multiples exist, parses DKIM tags, and estimates RSA public-key size where possible.

It is intended as a troubleshooting and analysis aid. Results should always be independently checked before any production DNS or email changes are made.

Relevant RFCs

These specifications define the core standards behind the checks on this site.

  • RFC 6376 - DomainKeys Identified Mail (DKIM) Signatures
  • RFC 8301 - Cryptographic Algorithm and Key Usage Update to DKIM
  • RFC 8463 - A New Cryptographic Signature Method for DKIM

Common Problems Checked

  • Selector host does not exist or points at the wrong provider
  • TXT and CNAME records published together at the selector host
  • More than one TXT record at the selector host
  • DKIM public key missing, revoked, malformed, or unparseable
  • RSA keys below the commonly recommended 2048-bit size

Improve Delivery

This site lets you check your DKIM configuration - you can also check the SPF and DMARC records on their own or all in one go at AUTHPROBLEM.com. Correct sender authentication is very important, but it is also only a starting point. For more information and practical tips on improving email delivery, visit Outgoing.email.

Questions or Issues

If you spot something that looks wrong, have a suggestion, or want to share details of a problem with one of the checks, please contact us.