DKIM Key Checker

Use this tool to lookup and verify a DKIM DNS TXT record and determine its public key length to detect the use of weak cryptographic DKIM keys (less than 1024 bits).

You can read more about why I wrote this tool.

Please let me know if you find a record that doesn’t parse properly and I’ll update my code.

DKIM selectors enable a single domain to have multiple keys. Some domains, like Twitter and eBay, use “dkim”. Google Workspace domains typically use “google”. Others simply use “default”. Enter yours below.
Note: Do not include “_domainkey” — this tool will add it automatically when making the DNS query.
Base domain name. (e.g.

Keys less than 1024 bits are considered at risk


118 thoughts on “DKIM Key Checker”

  1. Pingback: Outbound Solution
  2. Hi, thanks for the tool. Just found out that many similar tools out there are unable to handle long keys…yours works perfectly.

  3. Great tool. If you could please add support for some of the newer TLDs, .properties in particular, that would be swell.

  4. Thanks for the tool! Just a remark:
    Base64 encoded data usually wrap lines after 64 chars. The public key your tool did reconstruct wrapped after 78.

    1. @Evil_Wolf: Can you share a couple example domains and selectors to test so I can work on adding support? Thanks!

  5. Great tool. Just entered a record DKIM record with more than 255 chars and lookup result looked rather funny. I was expecting BIND to concatenate the multiple parts into one! Checked here with success. Then find out that it is the application using this record which is suppose to concatenate the parts.

  6. Hmmm, worked that time, after I updated my DNS to remove the domain. I just put it back, we’ll see how your tool does tomorrow.

  7. Hi Dave

    Thank you so much for providing this tool. I was able to check my Key Strength which was 1024 and upgraded it to 2018 at Google Apps.

    This has helped me a lot to implement DMARC and see how Spammers are trying to use my domains for their hideous activities.


    1. It should be working, what selector/domain are you testing?

      Mine has a 2048 bit key, for an example:

      selector: google

  8. Excellent beat ! I wish to apprentice at the same time as you amend your
    web site, how can i subscribe for a blog web site? The account helped me a applicable deal.
    I have been a little bit acquainted of this your broadcast offered vivid clear concept

  9. p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqWNYOa8qqbBAI \009nP9mhxNb8WHjEe+n9g+mS8xOcL66j73LwITKo7LOhzOhAltqo/2Q/VvJDlqxo2I5uIXaduWO1UK+CaWV \009VGPjN+dka9dP3vNjvS/ZMCIXNBv+Byu9d/zsPcMoMApFRVCOV9klFfJDLLyK3OmkcG8czlcZubdWZMLj \009INtWRg7T7″ “7JEQCCvUuetf/m9zL9CHhiaVyuJDZXgVeXU0lgOBJI5o4x9bevXf8v2NR55cQwg5bIllinG \009ycSzlY6wDfoCH6+dfEG48gtPHoVlU5GhJ0mJyypWd4EYwDr3xiZR9qzcCFGneP5//jMK5RpOu35k/nfx \009T3SgXeVwQIDAQAB”

    This Key Is Diffetent Than The DKIM Key In My TXT Record. Pease Reply Me If You Found Any Solution.

  10. Sorry, noob question here – how does the receiving server know what selector to use / ask the sending server for?

    Is that in the header of the email? you talk about how different websites use different phrases : )


  11. Hi! There are many tools to verify DKIM TXT records.
    But I did not find any tool to verify the DKIM Data of an Email already sent. I mean copy&paste the raw mail code to check mail text and metadata. Why is it so hard to find a tool for that? Cause this is what dkim is for.

  12. Your tool missed an error in what a client published. They included escape characters (v=DKIM1\;) and your took gave them “success” as a result. Using MXTOOLBOX it pointed out their error.

    May want to look into that – they used your site to erroneously believe they’d published correctly.


  13. Just wondering if I copy the contents of the result “—-begin certificate — ” and save it as a .pem file, will the regular cert reading tools be able to decipher it as a certificate?

  14. Is the code for this available anywhere? Just curious how you parse the record and feed it into openssl.

    1. Hi Dan! I haven’t published the code but it’s just a quick little PHP script with a flow that looks like this…

      • dig to grab the DKIM DNS record, since PHP’s dns_get_record() doesn’t properly handle returning TXT records for long DKIM entries.
      • Regex to extract the tags of interest from the record, per RFC 6376 :
      • Process the extracted public key via PHP’s OpenSSL library: openssl_get_publickey -> openssl_pkey_get_details

      If you want more specifics about any of that, drop me a note via the Contact page and I’ll email you further details.

  15. I get a fail on my test but a pass for other online checking pages – from reading I suspect it has to do with the FQDN appended to the selector eg my selector is:


    and it seems to fail on some sites inlcuding this one but pass on others – are you able to check if the un-appended FQDN is the problem?


    1. Hi Phil! Yes, just use your DKIM selector, phr1, in the “Selector” input box. Do not include the _domainkey subdomain.

      Using that, along with your Domain works for me. Let me know if that helps.

  16. Hi
    I’ve setup a 2048 key for MailPlus on my synology NAS and split the key across 2 TXT records in the DNS but the checker only reports it as a 1024 key. Does it not handle split keys?

    1. Hi Julian! It should handle split keys. What’s your DNS TXT record (selector/domain) and I can take a look.

  17. For some reason this tool is not able to find the dkim entry on any of my websites. All have dkim as selector in a TXT record:,,,

    1. Hi Bob!

      I do see your DKIM TXT record on

      ❯ dig -t TXT
      ;; ANSWER SECTION: 60 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu85+PZRVgrTN2VMyINKIA8EbiFMBn0aDyUYzdfL7kl7hZJnOV0BvyR9I1xwRN/EmDEgd9DVkjYKgT1fNjHkjLDmPtirCc1QiAfceCqjGbWjuOFtFjW5RfaQP4rqnJ0CH2QL3hwfekTBfHPkKAO4mf37gtlkXMUSXzQiIUTd+ogwIDAQAB;"

      However, the DKIM specification uses a namespace subdomain called “_domainkey” to store DKIM records.

      So you’ll want to use the format:
      [your selector]._domainkey.[your domain name]


      The relevant RFC section:

      And some more details about the naming of the DKIM DNS entry:

  18. Resolved! Nice to finally find out how to put in the selector on the domain TXT record. Host entry is to be dkim._domainkey and the VAlue with the rest of the required data. Validation is now working and finding the entry on my domain. Thanks Dave!

Leave a Reply

Your email address will not be published.