trace·warrior
  • Tools
  • Monitoring
  • Pricing
  • Resources
  • About
Sign inGet started
trace·warrior

Network diagnostics for IT professionals. Built for speed, accuracy, and the long tail of the Friday afternoon outage.

ALL SYSTEMS NOMINAL
Tools
  • DNS Lookup
  • Ping Test
  • Port Checker
  • WHOIS
  • See all
Product
  • Monitors
  • Pricing
  • How-to guides
  • Compare
Resources
  • Blog
  • API docs
  • Tool index
  • Contact
Company
  • About
  • Privacy
  • Terms
  • Cookie policy
© 2026 Trace Warrior · made for engineers, by engineersnetwork forensics, quietly
/
/
tools/dns & domain/dkim-checker
DNS & Domain

DKIM Checker

Free DKIM record checker. Look up and validate the DKIM public keys for any domain. Know your selector? Check it directly. Don't? The tool scans 26 selectors that major providers document (Google Workspace, Microsoft 365, SendGrid, Fastmail, Proton, Zoho, Resend, iCloud, and more) in parallel. Validates each key: RSA size (flags 1024-bit as aging and anything smaller as insecure), Ed25519 support, revoked keys (empty p=), testing mode, and broken records. Runs from our London probe.

What DKIM does and why the selector matters

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing mail. Your provider signs each message with a private key, and receivers verify it against a public key published in your DNS. That key lives at a selector, a label in the record name like selector1._domainkey.example.com. The signature travels in the message header, the public key stays in DNS, and a match proves the mail was not altered in transit and really came from an authorized sender. Different providers use different selectors, which is why you cannot always guess where the key lives.

If you do not know your selector, this tool scans 26 selectors that major providers document, including Google Workspace, Microsoft 365, SendGrid, Fastmail, Proton, Zoho, Resend, and iCloud, in parallel, and reports each key it finds.

Key size, revoked keys, and testing mode

Not every published key is a healthy one. This checker inspects each key it finds: RSA 2048-bit is the current standard, 1024-bit is flagged as aging, and anything smaller is insecure, while modern Ed25519 keys are supported too. It also catches a key that has been revoked (an empty p= value, which tells receivers to reject signatures using it) and one still in testing mode (t=y), where receivers are told to treat failures leniently, a flag that is often left on long after go-live and quietly weakens enforcement.

Frequently asked questions

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that attaches a cryptographic signature to each message. Receivers verify it against a public key in your DNS to confirm the mail is authentic and unaltered.

How do I find my DKIM selector?

The selector is part of the DKIM DNS record name, such as selector1 in selector1._domainkey.example.com. You can read it from the DKIM-Signature header of a sent message (the s= tag), or let this tool scan the common selectors that major providers use.

What DKIM key size should I use?

RSA 2048-bit is the current recommended size. 1024-bit still works but is considered aging and weaker, and anything below that is insecure. Ed25519 is a modern alternative supported by newer providers.

What does an empty DKIM p= value mean?

An empty p= tag means the key has been revoked. It tells receiving servers that any signature using this selector should be treated as invalid, so mail signed with the old key will fail DKIM.

Related tools

  • SPF Checker →
  • DMARC Checker →
  • Header Analyzer →
  • Deliverability Test →