DNS DKIM Record

DomainKeys Identified Mail

What is a DKIM Record?

DKIM (DomainKeys Identified Mail) is an email authentication standard that uses public-key cryptography to verify that an email message was sent by an authorized server and hasn't been modified in transit. A DKIM record is published as a DNS TXT record at a specific selector subdomain (e.g., selector._domainkey.example.com) and contains the public key used to verify DKIM signatures.

When a DKIM-enabled mail server sends an email, it creates a digital signature of the message headers and body using the domain's private key, and adds this signature as a DKIM-Signature header. The receiving server extracts the selector (s=) and domain (d=) from this header, looks up the corresponding DKIM DNS record to get the public key, and uses it to verify the signature. If the signature is valid, the email is confirmed as authentic and unmodified.

DKIM selectors allow a domain to have multiple DKIM keys simultaneously, which is useful for key rotation and when multiple services send email on behalf of the domain. For example, Google Workspace might use selector 'google', while SendGrid uses 's1'. Each service has its own private key and publishes its corresponding public key at its selector subdomain. This architecture makes DKIM highly flexible for organizations using multiple email sending services.

Syntax & Examples

A DKIM record is a TXT record at the selector._domainkey subdomain:
google._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKZyiGGQXO5BP/5aqMIlOETNyLSmDa5erVPejxvBqHoaQmFn+1Y+ABCDEFGHIJKLMNOP+QRSTUVWXYZ=="
Key tags: v=DKIM1 (version), k= (key type: rsa or ed25519), p= (public key in base64, required — empty p= value revokes the key). For longer keys, the TXT string is split across multiple quoted strings:
s1._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEF" "AAOCAQ8AMIIBCgKCAQEA2Onk...long_key..."

How to Query DKIM Records

To query DKIM records using dig, you need to know the selector name. Run: dig selector._domainkey.example.com TXT. For Google Workspace: dig google._domainkey.example.com TXT. For concise output: dig +short google._domainkey.example.com TXT. Common selectors include 'google' (Google), 's1'/'s2' (various ESPs), 'selector1'/'selector2' (Microsoft 365), and 'k1' (Mailchimp).

With nslookup, use: nslookup -type=TXT selector._domainkey.example.com. On Windows PowerShell: Resolve-DnsName -Name selector._domainkey.example.com -Type TXT. To find the selector from an email, view the email headers and look for the DKIM-Signature header — the 's=' tag contains the selector name. If you don't know the selector, you cannot directly discover DKIM records without it.

Related Record Types

TXT (Text Record) SPF (Sender Policy Framework) DMARC (Domain-based Message Authentication) MX (Mail Exchange Record) CNAME (Canonical Name Record)

Frequently Asked Questions

What is a DKIM record?

A DKIM record is a DNS TXT record that contains the public key for verifying DKIM email signatures. It's published at selector._domainkey.yourdomain.com. When a receiving server gets a DKIM-signed email, it looks up this record to retrieve the public key and verify the message's cryptographic signature.

What is a DKIM selector?

A DKIM selector is a name that identifies a specific DKIM key pair. It allows a domain to have multiple DKIM keys for different email services or key rotation. The selector is included in the DKIM-Signature email header (s= tag) so receivers know which DNS record to query for the public key.

How do I find the DKIM selector for my domain?

Check the DKIM-Signature header in a sent email — the 's=' tag contains the selector. For common services: Google Workspace uses 'google', Microsoft 365 uses 'selector1' and 'selector2', Mailchimp uses 'k1', and SendGrid uses 's1' and 's2'. Your email provider's documentation will specify the selector.

Can I use CNAME records for DKIM?

Yes, many email service providers use CNAME records for DKIM instead of directly publishing TXT records. For example, Microsoft 365 asks you to create CNAME records like selector1._domainkey.example.com pointing to selector1-example-com._domainkey.example.onmicrosoft.com. This allows the provider to manage key rotation automatically.

How often should I rotate DKIM keys?

It's recommended to rotate DKIM keys every 6-12 months, or immediately if a key compromise is suspected. Publish the new key with a new selector, update your mail server to sign with the new key, and keep the old key active for a period to allow in-transit emails to be verified. Then remove the old DKIM record.

Related Tools

DNS Lookup
Query DNS records for any domain
Reverse DNS
Look up hostnames from IP addresses
Whois Lookup
Find domain registration information
ASN Lookup
Query autonomous system numbers
SSL Check
Verify SSL certificate status
DNS Leak Test
Check for DNS leaks on your connection