What is a DKIM record?
A DKIM (DomainKeys Identified Mail) record is a DNS TXT entry that publishes the public key used to verify cryptographic signatures on outgoing email. When a mail server receives a message, it retrieves the DKIM public key from the sender's DNS and uses it to verify that the message was not altered in transit and actually came from the claimed domain.
What is a DKIM selector?
A selector is a label that namespaces the DKIM key, stored in DNS as selector._domainkey.yourdomain.com. A domain can publish multiple DKIM keys simultaneously — one per selector name. This allows different email services to use different keys, and enables key rotation without disrupting delivery. Common selector names include default, google, selector1, selector2, mail, k1, and k2. Checking common selector names is the fastest way to discover whether DKIM is configured when you don't know the selector in advance.
How do I find my DKIM selector?
Look in the DKIM-Signature header of any email you have sent — the s= tag contains the selector name. You can view email headers in most email clients under View > View Source or Show Original. If you use Google Workspace, your selector is typically 'google'. For Microsoft 365 it is 'selector1' or 'selector2'. For Mailchimp it is often 'k1'.
What DKIM key size is recommended?
2048-bit RSA is the current recommendation. Keys below 1024 bits are rejected by many mail providers including Gmail and Outlook. Keys between 1024 and 2047 bits are technically valid but aging. Ed25519 is an excellent modern alternative — it provides approximately 256-bit equivalent security strength in a much smaller key, and is supported by most modern mail servers. RSA-1024 is considered weak and should be rotated to 2048-bit -- many receiving mail servers will flag it as insecure during authentication checks.
What does 'key revoked' mean in a DKIM record?
A revoked DKIM key has an empty p= tag (p=). This signals to receiving mail servers that the key is no longer valid. Any email signed with that selector will immediately fail DKIM verification. If you need to rotate keys, always publish a new selector with the new key first, let DNS propagate, then revoke the old one. Never delete an active key without first deploying its replacement, as in-flight messages signed with the old key will immediately fail verification.
What is DKIM test mode?
DKIM test mode is indicated by the t=y flag in the DKIM record. It signals that the domain owner is testing their DKIM setup. Receiving servers may log failures rather than treating them as errors. This is useful during initial deployment, but the t=y flag must be removed before using the selector in production — otherwise DKIM provides no real authentication benefit.
What does the DKIM p= tag contain?
The p= tag contains the public key in base64-encoded format. For RSA keys, the length of this base64 string is proportional to the key size — a 2048-bit key produces a much longer p= value than a 1024-bit key. This analyzer estimates the bit-strength by measuring the decoded length of the p= value. An empty p= tag means the key has been revoked.
How does this DKIM analyzer work?
The tool queries the DKIM DNS TXT record at selector._domainkey.yourdomain.com using Cloudflare's DNS-over-HTTPS API (with Google DoH as a fallback). It then parses the raw record text and analyzes each tag: v= (version), k= (key type), p= (public key), t= (flags), h= (hash algorithms), s= (service type), and n= (notes). The result includes a security assessment of each tag. The analyzer runs from your browser via Cloudflare DNS over HTTPS -- no email is sent and your domain is not stored anywhere.
What is a DKIM bulk selector scan?
The bulk scan mode checks 20 of the most common DKIM selector names against your domain simultaneously — including default, google, selector1, selector2, mail, k1, k2, mailchimp, sendgrid, amazonses, and others. This is useful when you do not know which selectors your email providers have configured, or when auditing all active DKIM keys on a domain. The bulk scan checks selectors in parallel and shows which are active, which have weak keys, and which have been revoked or removed.
Does DKIM alone protect against email spoofing?
DKIM alone is not sufficient for full email authentication. It verifies message integrity and confirms the signing domain, but does not prevent a different domain from sending email and signing with their own DKIM key. DKIM works best as part of the full email authentication stack: SPF restricts which servers can send on behalf of your domain, DKIM signs messages cryptographically, and DMARC ties the two together with a policy for handling failures.
