DKIM Lookup (Keys, Selectors, Rotation Tips)
Discover and validate DKIM selectors, check key length and rotation hygiene with actionable security advice.
DKIM Basics
DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that emails haven't been tampered with in transit.
Cryptographic Keys
Public/private key pairs ensure email authenticity
Digital Signatures
Detects tampering and verifies sender identity
Selectors
Named keys allow multiple DKIM keys per domain
Key Rotation
Regular key updates improve security posture
DKIM Selector Probe
Found DKIM Selectors
Common Selectors Checked
Key Analysis
Public Key (google selector)
Enter a domain above to discover DKIM selectors
Key Length & Rotation Best Practices
Maintain strong DKIM security with proper key management.
Key Length Recommendations
Deprecated - upgrade to 2048-bit for better security
Recommended standard - good balance of security and performance
Maximum security - may have compatibility issues
Rotation Schedule
Rotate DKIM keys every 6-12 months for optimal security
Keep old keys active for 48-72 hours during transition
Use date-based selectors (2024-01, 2024-07) for easy tracking
DKIM Alignment Tips
Ensure DKIM works properly with DMARC for maximum protection.
Domain Alignment
DKIM signature domain (d=) should align with the From header domain for DMARC compliance.
DKIM-Signature: d=example.com (✓ Aligned)
Relaxed vs Strict Alignment
Configure DMARC alignment mode based on your email setup:
Multiple Signatures
Use multiple DKIM signatures for redundancy and different services:
DKIM-Signature: d=example.com; s=mailgun; ...
Related Email Security Tools
Complete your email authentication setup with these tools.
Run a Full Email Security Audit
Check DKIM, SPF, DMARC, MTA-STS, and more in one comprehensive scan
Frequently Asked Questions
Common questions about DKIM selectors and key management.
What selector name should I use?
Common selectors include 'default', 'google', 'k1', 's1', or date-based like '2024-01'. Use descriptive names that help with key rotation and management. Many email services use their own naming conventions (e.g., Google uses 'google', Mailgun uses 'k1').
Is 1024-bit DKIM key length enough?
While 1024-bit keys are still widely accepted, 2048-bit keys provide better security and are recommended for new implementations. Most modern email providers support 2048-bit keys. Consider upgrading 1024-bit keys during your next rotation cycle.
How often should I rotate DKIM keys?
Rotate DKIM keys every 6-12 months for optimal security. During rotation, keep the old key active for 48-72 hours to ensure emails in transit can still be verified. Use date-based selector names to track rotation schedules easily.
Can I have multiple DKIM selectors?
Yes, you can have multiple DKIM selectors per domain. This is useful for different email services, key rotation, or redundancy. Each selector points to a different public key, allowing you to sign emails with different keys based on the service or configuration.
What if DKIM selector lookup fails?
If a DKIM selector lookup fails, the key might not exist, DNS propagation might be incomplete, or there could be DNS configuration issues. Check your DNS provider settings, verify the selector name, and ensure the TXT record is properly formatted.