What is DKIM and how does it work?
DKIM, or DomainKeys Identified Mail, lets a sending server cryptographically sign outgoing messages with a private key. The matching public key is published as a TXT record in DNS at a selector you choose. Receivers fetch the public key, verify the signature, and confirm the message has not been altered in transit and really came from a server authorized to sign for the domain. DKIM is a core pillar of modern email authentication.
What is a DKIM selector?
A selector is a label that lets a domain publish multiple DKIM keys at the same time. The DNS lookup happens at selector._domainkey.example.com. Each sender, vendor, or rotation generation gets its own selector. Common values include "default", "google", "k1", "s1", "mailgun", and so on. The checker requires you to enter both the domain and the selector, then validates the key length, syntax, and any deprecation flags.
How long should a DKIM key be?
Modern guidance is at least 2048 bits. Older 1024-bit keys still work but are considered weak by major mailbox providers, and Google now flags them in Postmaster Tools. Rotating to a longer key requires generating a new selector, publishing the new public key, signing with the new private key, and eventually retiring the old selector. The checker reports the key length so you can plan rotations confidently.
Why do DKIM signatures fail in transit?
Mailing lists, forwarders, and some security gateways modify message content or headers in ways that break the original signature. This is normal, and is one reason DMARC also accepts SPF as an authentication path. To minimize breakage, sign with relaxed canonicalization, avoid signing volatile headers, and instruct mailing lists to rewrite the From header so they take responsibility for the new content.
What does the v=DKIM1 prefix mean?
v=DKIM1 declares the version of the DKIM record format. It is followed by the key type k, the public key p, optional service type s, optional flags t, and an optional notes field. If a record is missing v=DKIM1 or the public key is empty, receivers cannot validate signatures. The checker parses these fields and warns when any required component is missing or malformed.
How often should I rotate DKIM keys?
A common cadence is every six to twelve months, plus an immediate rotation if the private key is ever exposed. Rotations involve creating a new selector, publishing the new public key, switching the signer to the new selector, and removing the old record after enough time has passed for in-flight mail to be verified. Automated platforms handle this for you; self-managed senders need to schedule the rotation manually.
