How to Check Your DKIM Setup in 60 Seconds

May 08, 2026 · 2 min read

If your domain sends email — even just transactional notifications — DKIM is the single most important signal that your messages aren’t being silently dropped or shoved into spam. The good news: confirming it works takes under a minute and needs nothing more than a terminal.

What DKIM actually does

DKIM (DomainKeys Identified Mail) lets your mail server cryptographically sign every outbound message with a private key. The matching public key lives as a TXT record in your DNS. When a receiver gets your mail, it pulls that public key, verifies the signature, and now has cryptographic proof the message wasn’t tampered with in transit and really did originate from a server you authorized.

No DKIM? Then any spammer can spoof your domain in the From header. Gmail and Microsoft are increasingly hostile to unsigned mail — many domains discover their DKIM is broken only when newsletters start landing in spam.

The 60-second check

Pick a recent email your domain sent. Most domains use a selector like default, k1, google, or mail. You can find the selector by looking at any signed message header for s=....

Then in any terminal:

dig TXT default._domainkey.yourdomain.com +short

Three things to check in the output:

  • It returns something. No output means no DKIM record, which means no signing.
  • It starts with v=DKIM1; k=rsa; p=. That’s the canonical format.
  • The p= value is long. Anywhere from 200 to 400+ characters of base64. A short or empty p= value means the key was revoked.

If all three are true, send a message to yourself and view the original. Look for dkim=pass in the Authentication-Results header. That’s your confirmation.

When it fails

Three common causes:

  1. The selector is wrong. Try mail, s1, k1, google, selector1, or whatever your mail provider documents.
  2. The TXT record is split incorrectly. DNS providers sometimes mangle long TXT records. The full key needs to be one logical record, even if displayed in chunks.
  3. The mail server isn’t actually signing. Some providers require you to enable signing per-domain, not just create the DNS record. Check your provider’s outbound mail config.

Why bother

Three reasons. First, your messages stop getting marked as spam in major mail systems. Second, you can publish a strict DMARC policy without breaking legitimate mail, which protects your domain from being spoofed by phishers. Third, security teams audit DKIM as part of every vendor questionnaire — having it set up correctly speeds up sales cycles in regulated industries.

Sixty seconds. No excuse.