How to Check a DKIM Record
A practical guide to checking a DKIM record, finding the right selector, validating the TXT record, and spotting common DKIM setup problems.
Tools For This Topic
Start with the selector
To check a DKIM record, you need both the domain and the selector. Unlike SPF or DMARC, DKIM is not stored at a single fixed hostname for the whole domain.
The selector is usually found in the DKIM-Signature header of a real email. If you do not know it yet, you may need to inspect headers or test common selector names first.
Build the full DKIM hostname
A DKIM public key is usually published at selector._domainkey.example.com. If the selector is default and the domain is example.com, the hostname to check is default._domainkey.example.com.
default._domainkey.example.comChecking the wrong hostname is one of the most common reasons teams think DKIM is missing when the real issue is only the query name.
Query the TXT record for that hostname
Once you have the full hostname, query its TXT records and look for a value that starts with v=DKIM1. That record should contain the public key and other DKIM tags.
If no TXT record appears, the selector may be unpublished, incorrect, or not yet propagated. Some providers also publish a CNAME at the selector hostname that points to the real key location.
Read the main DKIM tags
- v=DKIM1 identifies the record as DKIM
- p= contains the public key used to verify signatures
- k= describes the key type when present
- t= may show testing or service flags
The p value is usually the most important part to verify. If the key is missing, truncated, or malformed, the selector may resolve but DKIM validation can still fail.
Compare the DNS record with real message headers
Checking a DKIM record is most useful when you compare it with a real email. Review the DKIM-Signature header and Authentication-Results so you can confirm the selector in use and whether the receiver accepted the signature.
This helps separate a missing DNS record from a signing problem in the sending platform.
Common DKIM record problems
- The wrong selector is being checked
- The TXT record is missing
- A CNAME exists but points to the wrong place
- The public key is incomplete or malformed
- The sending platform is not signing with the selector that is published
A practical DKIM checking workflow
- Find the selector from a real email or use a selector finder
- Construct the selector._domainkey hostname
- Query TXT records for that hostname
- Confirm the record contains v=DKIM1 and a valid public key
- Compare the DNS result with Authentication-Results from a real message
- If needed, re-check the provider's DKIM setup and key publication steps
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
How to Check a DMARC Record
A practical guide to checking a DMARC record, understanding the main tags, and spotting common DMARC issues before enforcement causes problems.
How to Check an SPF Record
A practical guide to checking an SPF record, including where to look, how to read includes and qualifiers, and how to spot common SPF problems.
How to Check Google Workspace DNS
A practical guide to checking Google Workspace DNS records, including MX, SPF, DKIM, DMARC, and the signs of a mixed or incomplete setup.