/ developer & network toolbox
← all tools

$ dkim

server-side

DKIM Checker

Fetch a DKIM public key by selector and flag revoked (empty p=) or test-mode keys.

dkim — invoker.tools

About the DKIM Checker

The DKIM lookup tool retrieves a domain's DKIM public key from DNS using the selector and domain you provide, querying the standard selector._domainkey.domain location. It parses the record's tags so you can read the key type, public key, and any flags without decoding the raw TXT record by hand.

Use it to confirm a DKIM selector is published correctly when setting up email authentication, or to diagnose signing problems. The lookup happens on the server against live DNS, and the tool flags two common issues: a revoked key (an empty p= value) and a selector running in test mode (t=y), both of which affect how receivers treat your signed mail.

How to use it

  1. Enter the domain whose DKIM key you want to check.
  2. Enter the DKIM selector (often found in the d= and s= tags of a signed email's DKIM-Signature header).
  3. Run the lookup to query selector._domainkey.domain in DNS.
  4. Review the parsed key tags such as v, k, and p.
  5. Check for warnings about a revoked key or test-mode selector.

Examples

  • Look up selector google with domain example.com to fetch the published key at google._domainkey.example.com.
  • Find a selector with an empty p= tag and see it flagged as revoked, meaning the key has been retired.
  • Spot a t=y tag and learn the selector is in test mode, so receivers should not act on DKIM failures yet.

Frequently asked questions

What is a DKIM selector?

A selector is a label that lets a domain publish multiple DKIM keys. Combined with the domain it forms the DNS name selector._domainkey.domain where the public key is stored.

How do I find my DKIM selector?

Look at the DKIM-Signature header of a signed email: the s= tag is the selector and the d= tag is the signing domain. You can also get it from your email provider's DNS setup instructions.

What does an empty p= value mean?

An empty p= tag means the key has been revoked. The DKIM record still exists, but it no longer contains a usable public key, so signatures referencing it cannot be verified.

What is DKIM test mode (t=y)?

The t=y flag marks a selector as being in test mode. Receivers are expected to treat verification results as informational and not penalize messages that fail, which is useful while rolling out DKIM.

Is the DKIM lookup done locally or on the server?

The DNS query runs on the server using the selector and domain you supply, then the parsed result is returned to you. The values you enter are sent to the server to perform the lookup.

What is the difference between DKIM, SPF, and DMARC?

DKIM cryptographically signs messages, SPF authorizes which servers may send for a domain, and DMARC ties the two together with a policy. This tool checks the DKIM public key specifically.

More email / dns tools

SPF CheckerDMARC CheckerMX LookupEmail Header Analyzer