wiredepth
Run a check

Free tool · Email auth

DKIM checker, validator + record generator

Three modes: look up the DKIM record at any selector + domain, validate a pasted record string, or generate a fresh RSA keypair with the DNS TXT value formatted ready to publish. No signup.

Common selectors: default, google, k1, selector1, selector2, mail. Look at any email's DKIM-Signature header for the s= tag.

What this tool checks

DKIM (DomainKeys Identified Mail, RFC 6376) signs outbound mail with a private key your MTA holds; receivers verify the signature against the public key you publish in DNS at <selector>._domainkey.<domain>. DKIM is one of the three DMARC alignment paths (alongside SPF) and is the more reliable one because it survives forwarding.

Look up mode: enter the domain and the selector, we resolve the TXT record, parse every tag, and inspect the public key (algorithm, bit length, revocation status).

Validate mode: paste a DKIM record body and we parse it without any DNS lookup. Useful for verifying a record before you publish it, or analyzing a record from DNS history / a backup.

Generate mode: produces a fresh RSA keypair in memory on our server. We return the private key (PEM) for your MTA / signing service config, plus the formatted DNS TXT value ready to publish. Nothing is stored - the keypair is unique to your request and forgotten the moment the response is sent.

How to read the results

What selector should I use? Look at the DKIM-Signature header on any email from the domain. The s=tag is the selector. Common values: Google Workspace = google, Microsoft 365 = selector1 / selector2, Mailgun = k1, Postmark = often the year, e.g. 2024.

Public key bit length: 2048 is the modern default. 1024 still works for most receivers but Gmail and Yahoo have started signalling preference for 2048+. Below 1024 is silently ignored. Above 4096 won't fit in a standard DNS TXT record.

p= empty = revoked. RFC 6376 §3.6.1: a zero-length p= tells receivers to treat the key as revoked. Used when rotating keys - you can keep the old selector live as revoked while transitioning, then remove the record entirely once nothing is signing with it.

t=y means testing. Receivers see this and ignore the signature without affecting your reputation. Useful for staging but a foot-gun in production - remove it once you're confident.

Frequently asked questions

How is my private key generated?

Server-side via Node.js crypto.generateKeyPair (which uses OpenSSL underneath). The keypair exists only in memory for the duration of your request and is streamed back to you in the response. Nothing is logged or persisted.

Should I use 1024 or 2048 bit keys?

2048 unless you have a specific reason not to. 1024 is the original DKIM default but Gmail and Yahoo have been signalling preference for 2048+, and 4096 is overkill (won't fit in a standard DNS TXT record without chunking). 2048 fits in one chunk on most DNS providers and is the modern default across major email providers.

My record validates but emails still fail DKIM - why?

Most common: the private key on your MTA does not match the public key in DNS. Either you regenerated and forgot to update DNS, or you republished and forgot to push the matching key to your signing service. Check that the public key derived from your private key matches the p= in DNS exactly.

What's a DKIM selector?

A label that lets you publish multiple DKIM keys for the same domain - one per email vendor or one per rotation generation. Mail signed with a given key uses that selector in the DKIM-Signature header so receivers know which DNS record to look up.

How do I rotate DKIM keys?

Generate a new keypair, publish under a NEW selector (e.g. selector2 if you were using selector1), wait until your MTA is signing with the new key, then revoke the old selector by setting p= empty. Eventually delete the old TXT record entirely. Never overwrite the existing selector in place - in-flight mail signed with the old key would fail.

Why is my published record returning 0 results when I look it up?

Three common causes: (1) selector typo - case-sensitive in some providers. (2) DNS propagation - records take up to a TTL to appear globally. (3) Multiple TXT records at the same FQDN - some DNS providers split your record across two entries which DKIM cannot parse; consolidate to one TXT record.

Related free tools

DMARC analyzer

DKIM is one path through DMARC alignment.

DMARC walk-through wizard

AI-personalized migration plan.

SPF flattener

The other DMARC alignment path.