DKIM Record Checker
Paste a DKIM TXT record value (v=DKIM1; k=rsa; p=...). Tag-by-tag validation against RFC 6376: v= (must be DKIM1), k= (rsa / ed25519), p= (base64 public key with RSA modulus bit count inferred from DER), h= (hash algos), s= (service types), t= (flags: y=testing, s=strict). 100% offline.
What is the DKIM Record Checker?
DKIM Record Checker parses a DKIM TXT record value and validates every tag against RFC 6376. Required tags: v= (must be DKIM1), p= (base64 public key — empty means revoked). Optional but checked: k= (key type: rsa default or ed25519), h= (acceptable hash algorithms — flags SHA-1 as deprecated, missing sha256 as a warning), s= (allowed service types, default `*`), t= (flag list — y=testing, s=strict subdomain alignment), n= (free-text notes). For RSA keys we decode the base64 then walk the DER-encoded SubjectPublicKeyInfo to read the modulus length precisely — < 1024 bits is rejected, < 2048 bits is warned, ≥ 2048 is OK. Ed25519 keys are recognised and noted but the size check doesn't apply. Each parsed tag appears in a table with its meaning column.
How to use it
- Look up your TXT record: `dig txt selector._domainkey.example.com` (replace 'selector' with the DKIM selector your mail provider gave you).
- Paste the value (between or without the surrounding quotes).
- Read Findings for missing required tags, weak keys, deprecated hashes.
- Check the Tags table for each parsed tag and its meaning.
Benefits
- RFC 6376 compliant — every defined tag validated.
- RSA modulus bit count inferred precisely from DER (1024 / 2048 / 4096+).
- Ed25519 detection for newer accounts.
- Flags SHA-1 in h= as deprecated (modern receivers ignore).
- Detects empty p= (revoked key).
- Tag table with meaning column — useful for documentation.
- Settings persist in localStorage.
- Runs 100% in your browser — no DNS lookups, no third-party services.
Frequently asked questions
Can it fetch my DKIM record automatically?
No — DNS lookups require a backend. Use `dig`, `nslookup`, or your DNS provider's web UI to fetch the TXT, then paste here.
What's a 'selector'?
A short string (often the mail provider name + an index, like `s1`, `selector1`, or `mailo._domainkey`). Your DKIM record lives at `<selector>._domainkey.<your-domain>`. The selector you choose is up to you; mail providers usually pick one for you.
How is RSA key length inferred?
We base64-decode the p= value, parse the DER SubjectPublicKeyInfo, find the RSA modulus INTEGER, and count its bytes (stripping the leading 0x00 sign byte if present). That gives a precise bit count — no estimation.
Why is < 2048-bit RSA a warning?
1024-bit RSA was deprecated by NIST in 2018. Many large receivers (Gmail, Outlook) accept it but log it as weak; some may reject it in coming years. Anything new should be 2048 minimum, 4096 if your mail volume warrants it.
Should I use RSA or Ed25519?
Ed25519 is faster and produces smaller signatures, but DKIM-Signature support for Ed25519 is uneven. Gmail handles it; some legacy receivers may still ignore Ed25519 signatures and fall back to evaluating only an RSA signature if present.
What does t=y do?
Testing mode. Receivers should treat DKIM failures as soft (informational) rather than rejecting. Use during initial rollout, then remove once aggregate reports are clean.
What does t=s do?
Strict subdomain alignment. The d= domain in DKIM-Signature must exactly match the From: header domain (not just be a parent). Use when you want to enforce that the signer is the same domain as the From.
What's the empty p= value for?
Revocation. If you publish `v=DKIM1; p=;` it explicitly tells receivers this selector is no longer valid — useful when rotating selectors without breaking DNS caches that have already fetched the record.
Is there a max DKIM record size?
DNS TXT records are limited to 255-character chunks (joined by the resolver). DKIM records with 4096-bit RSA keys typically span two chunks; the parser auto-joins them.
Are my pastes saved?
Yes — the input persists in localStorage under `toollyz:dkim-input`.
Is anything uploaded?
No. Parsing runs entirely in your browser, including the base64 decode and DER walk.
Related tools
See all developer toolsDMARC Record Checker
Paste DMARC TXT — validate policy, alignment, percentage, report URIs; 0-100 score.
SPF Record Checker
Parse RFC 7208 SPF records — qualifiers, mechanisms, 10-lookup limit.
Email Header Analyzer
Parse raw email headers — SPF, DKIM, DMARC + hop chain timing.
Email Signature Generator
Table-based HTML with inline styles, rich-paste for Gmail / Outlook.