DKIM Lookup Tool
Check any DKIM selector and read its public key. We pull the TXT record under selector._domainkey, confirm the key is present, and report the key type.
This DKIM lookup tool checks any selector and pulls the public key record it points to. Give us a domain and a selector and we read the TXT record stored under selector._domainkey, where DKIM keeps the key receiving servers use to verify the signature on your mail. Without the selector you have nothing to query, so we report whether a record was found, whether the public key (p=) is present, and what key type (k=) it declares, then print the full record. This is the value worth re-checking whenever a message bounces or lands in spam, because a wrong or missing selector is often the whole problem. If you are unsure which selector to enter, read the s= value off a message you have already sent. Everything runs in your browser, so nothing you paste is uploaded.
Queries run through the PeopleAreGeek lookup service. We log nothing.
DKIM Lookup Tool: Check DKIM Selector and Public Key Record
This DKIM lookup tool reads the DKIM record for any domain and selector you give us. The record sits under selector._domainkey.example.com, so without the selector there is nothing to query. Inside it is the public key receiving servers use to check the signature on your mail. We report whether a record exists, whether the public key is present, and what key type it declares, then show the full record. This is the value worth re-checking whenever a message bounces, because a wrong or missing selector is often where the problem is.
What is a DKIM selector?
The selector is basically a label. It tells the receiving server which key to grab. You can publish more than one at a time, which is the whole trick behind rotating keys without breaking yesterday's mail. The annoying part? Everybody names theirs differently. I've hit default, google, the selector1 / selector2 pair, k1, plus a heap of provider-specific ones that read like keyboard mashing. No standard anywhere. So you go hunting.
How to find your selector
- Start with your provider's DNS setup docs. They nearly always name the selector outright, and that's the fastest way in.
- Docs being vague? Open a message you've already sent and read its DKIM-Signature header. The s= value is your selector, sitting right there in plain sight.
- Same header gives you d=, the signing domain. Paste d= into the domain box and s= into the selector box. That's it.
Frequently asked questions
Why does my DKIM lookup return no record?
Most of the time it is the wrong selector, so try a couple of others before you panic. It is also possible the record was never published, or DNS has not propagated yet and the void will fill in within an hour. Some providers stash the key under a hostname you would never guess. When in doubt, grab the s= value off a real email you sent and trust that over whatever you typed from memory.
What is a DKIM selector?
The selector is a label that tells the receiving server which key to grab. You can publish more than one at a time, which is the whole trick behind rotating keys without breaking yesterday mail. Everybody names theirs differently: default, google, the selector1 and selector2 pair, k1, plus many provider-specific ones. There is no standard, so you go hunting.
How do I find my selector?
Start with your provider DNS setup docs, which nearly always name the selector outright. If the docs are vague, open a message you already sent and read its DKIM-Signature header. The s= value is your selector and the d= value is the signing domain. Paste d= into the domain box and s= into the selector box.
Does DKIM replace SPF?
No, you want both. SPF says which servers are allowed to send for your domain. DKIM proves the message was not tampered with on the way over. They are two different jobs and do not overlap much. DMARC sits on top, ties the pair together, and tells receivers what to do when one of them fails. Run all three.