Free Tool

DKIM Record Checker

DKIM is the authentication layer that Gmail trusts most. A revoked key, weak 512-bit RSA key, or missing key causes Gmail to treat your emails as unsigned — and unsigned emails from commercial senders go directly to spam. Check yours now.

Common selectors:

What Makes a DKIM Key Invalid — and Why It Matters

What is DKIM?

DomainKeys Identified Mail adds a cryptographic signature to your outgoing emails. Receiving servers verify this signature to confirm the email wasn't tampered with and truly came from your domain.

How do I find my DKIM selector?

Check your email headers for the s= tag in the DKIM-Signature header. Common selectors include 'google' (Google Workspace), 's1'/'s2' (Microsoft 365), 'k1' (Mailchimp), 'default', and 'selector1'/'selector2'.

What key size should I use?

Use at least 2048-bit RSA keys. 1024-bit keys are considered weak and some providers may flag them. Google Workspace uses 2048-bit by default.

What is test mode (t=y)?

When t=y is set, receiving servers should treat DKIM failures as if the message was unsigned rather than rejecting it. This is useful during initial setup but should be removed for production to ensure full DKIM enforcement.

Related Free Tools

DKIM Record Generator → SPF Record Checker → DMARC Record Checker → Deliverability Health Check →

Learn More

↗

SPF, DKIM, and DMARC Explained

Why DKIM is required for DMARC alignment to function and protect your domain.

↗

Does DMARC Failure Guarantee the Spam Folder?

Data study on authentication's impact on spam placement when DKIM fails.

Why We Built This Tool

DKIM is the authentication layer Gmail trusts most. A revoked key, weak 512-bit key, or missing key causes Gmail to treat emails as unsigned — and unsigned emails from commercial senders go straight to spam. InboxEagle monitors 2,000+ brands and detects key rotation failures within hours.

What Goes Wrong Without This

DKIM key failures are silent. An ESP may rotate keys, your DNS may not be updated, and you won't know until emails start bouncing or landing in spam. Checking quarterly is too slow — most campaigns fail in the first few sends.

Who This Tool Is For

E-commerce & DTC Brands

Teams using multiple ESPs (Klaviyo, SendGrid, Google Workspace) who need to verify DKIM keys are published and not revoked before campaigns go out.

Email Marketing Agencies

Agencies auditing client authentication setup and troubleshooting deliverability issues where DKIM signature validation is failing.

B2B SaaS & Outbound Teams

Teams sending cold outreach and transactional mail who need to verify DKIM integrity and catch key rotation issues immediately.

Frequently Asked Questions

What is DKIM?

DomainKeys Identified Mail adds a cryptographic signature to your outgoing emails. Receiving servers verify this signature to confirm the email wasn't tampered with in transit and truly came from your domain.

How do I find my DKIM selector?

Check your email headers for the 's=' tag in the DKIM-Signature header. Common selectors include 'google' (Google Workspace), 's1'/'s2' (Microsoft 365), 'k1' (Mailchimp), 'default', and 'selector1'/'selector2'.

What does a revoked DKIM key mean?

A revoked key has an empty p= tag. If your DKIM key is revoked in DNS, your emails will fail DKIM verification. This usually happens when an ESP rotates keys or when you delete a DNS record. Update your DNS immediately.

Do I need an InboxEagle account to use this tool?

No. This tool is completely free and requires no account or sign-up. InboxEagle provides it as a standalone resource for email marketers, developers, and agencies.

Your DKIM Key Can Be Revoked Without Warning

InboxEagle monitors your DKIM key status daily. If your ESP rotates keys and your DNS record isn't updated, your emails start failing authentication immediately. We alert you within minutes — before a campaign goes out to your list.

Start Free 14-Day Trial

No credit card required · Cancel anytime