Plunk logo
Plunk
§ T-06  —  Tool← All tools

DKIM record
checker

Look up your domain's DKIM public key by selector. Verify the key is active, understand the configuration, and get advice if something looks wrong.

DKIM record lookup

Not sure? Try a common selector below.

Common selectors

§ 01DKIM explained

How DKIM signing works.

DKIM proves your email was sent by your domain and wasn't altered in transit.

Cryptographic signature

Your sending server signs each email using a private key. The corresponding public key is published in DNS. Receiving servers verify the signature to confirm authenticity.

Selector system

Each DKIM key is identified by a selector. You can have multiple selectors (and keys) per domain, allowing key rotation and multiple sending providers at the same time.

Tamper detection

The DKIM signature covers specific email headers and the body. If the email is modified in transit, the signature breaks and DKIM fails — protecting against content manipulation.

Key rotation

Best practice is to rotate DKIM keys annually. Publish the new key under a different selector, update your sending infrastructure, then revoke the old key by setting p= to empty.

DKIM alone is not enough

Like SPF, DKIM authentication alone doesn't protect the visible From header. You need DMARC to enforce authentication policies and protect against spoofing.

2048-bit RSA minimum

1024-bit RSA keys are considered insecure. Use at least 2048-bit RSA or switch to Ed25519, which provides equivalent security with much smaller keys.

Sign every email. Reach the inbox.

Plunk configures DKIM signing automatically and guides you through setting up SPF and DMARC for your domain.

Start with PlunkWhat is DKIM?

Frequently asked questions

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to outgoing email. The signature is verified by receiving servers using a public key published in your DNS. If the signature matches, the email is confirmed to have originated from your domain and has not been tampered with in transit.

What is a DKIM selector?

A DKIM selector is a label that identifies which DKIM key to use when there are multiple keys for a domain. Selectors are arbitrary strings chosen by the sending service (e.g., "google" for Google Workspace, "selector1" for Microsoft 365, "k1" for Mailchimp). The DKIM record is published at {selector}._domainkey.{domain}.

Where do I find my DKIM selector?

Your DKIM selector is provided by your email sending service. In Google Workspace, it's typically "google". In Microsoft 365, it's "selector1" and "selector2". In Mailchimp, it's "k1". Check your email provider's DNS setup guide or look in the DKIM signature of a sent email (the "s=" tag in the DKIM-Signature header).

Why is my DKIM key revoked?

A DKIM key is revoked by publishing a DKIM record with an empty p= value. This is intentional and signals that the key should no longer be used. Reasons include key rotation, key compromise, or switching email providers. If you didn't intentionally revoke the key, check your DNS records and publish a new DKIM key.

Should I use RSA or Ed25519 for DKIM?

RSA (2048-bit) is the safest choice for maximum compatibility, as it is supported by all email providers. Ed25519 offers equivalent security with much smaller keys but is not supported by some older mail servers. A best practice is to publish both an RSA key and an Ed25519 key with different selectors, letting modern servers prefer Ed25519.