DKIM record lookup

DKIM (DomainKeys Identified Mail) signs outgoing mail with a private key; receivers fetch the matching public key from DNS to verify. Stored as TXT under `<selector>._domainkey.<domain>`.

intermediate TXT (DKIM)

How to look it up

Four ways to query — pick by what's available on your machine.

dig (Google selector)dig TXT google._domainkey.example.com +short

dotdigdotdig dkim google example.com

openssl verifyecho $PUBKEY | openssl rsa -pubin -text -noout

Sample response

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8p..."

Format

Selector convention: `<selector>._domainkey.<domain>`. The selector is mailer-defined (e.g. Google uses `google`, SendGrid uses `s1` and `s2`). Public key is base64-encoded RSA in `p=` field.

Common pitfalls

DKIM records are often >255 chars — TXT record limit per string. Most DNS providers split with quotes; fetch behaviour MUST concatenate. Verify with `dig +short` then concatenate manually.
Selector mismatch: mail provider says 's1' but you publish 'mail' — receivers can't find the key. Always copy the selector exactly.
Key rotation: revoke a selector by setting `p=` empty (e.g. `v=DKIM1; p=`). Don't delete the record — that bypasses the rotation flow.

Why it matters for security

security relevance DKIM = cryptographic proof of origin. Receivers reject unsigned (or invalid-signed) mail when DMARC says reject. RSA-1024 keys are weak — use RSA-2048 minimum.

Use cases

Verifying mail provider DKIM setup
DKIM key rotation auditing
Spam triage (mail without DKIM = suspicious)
DMARC alignment check

Look up DNS without flag soup

dotdig is a friendly DNS resolver — formatted output, custom resolver support, DNSSEC validation. Zero-config alternative to dig.

Open dotdig

Related DNS lookups

TXT (SPF) · SOA · CAA · MX