Introducing the mySMTP DKIM Checker: Inspect, Verify & Score Your DKIM Records in Seconds
DKIM is one of the three pillars of email authentication — and one of the easiest things to get silently wrong. A missing record, a weak key, or a mismatched selector can quietly tank your deliverability without a single bounce or error message. Our new DKIM Checker gives you a complete picture of your DKIM setup, in real time, directly from your browser.
What Is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication standard that allows a sending domain to cryptographically sign outgoing messages. When an email arrives at a recipient's mail server, that server queries DNS to retrieve the sender's public key and uses it to verify the signature attached to the message.
If the signature is valid, it proves two things:
- The email genuinely originated from (or was authorized by) the stated domain.
- The message content was not tampered with in transit.
Without a valid DKIM signature, your emails are more likely to be flagged as suspicious by Gmail, Outlook, Yahoo, and other major providers — even if you have a perfect IP reputation. DKIM also feeds directly into DMARC, meaning a broken DKIM record can cause DMARC failures and result in emails being quarantined or rejected.
A DKIM misconfiguration doesn't generate bounce messages or delivery errors you can see. Emails simply get silently downranked or rejected at the inbox level — which is why regular, proactive checks matter.
Anatomy of a DKIM Record
A DKIM public key is stored as a TXT record in DNS, at a hostname structured like this:
The record itself is a semicolon-delimited string of tags. Here is a real-world example, colour-coded by tag:
The most critical tag is p= — the base64-encoded public key. Its length determines your key strength (in bits), which directly affects your security grade. A 2048-bit or larger RSA key is the current recommendation.
What the mySMTP DKIM Checker Does
The tool is a single, self-contained browser application — no login, no server, no data sent anywhere except to Google's public DNS-over-HTTPS service. It covers three distinct workflows:
Single Record Lookup
Enter any domain and selector to retrieve and fully analyze one DKIM record. Outputs a score, grade, full tag breakdown, key strength meter, and health checks.
Multi-Selector Scanner
Automatically tests a domain against a curated list of common DKIM selectors — useful for discovering active, legacy, or forgotten keys.
Key Comparison
Side-by-side comparison of two DKIM records across different domains or selectors — ideal for key rotation audits and migrations.
How to Use Section 1: Single DKIM Record Lookup
This is the main workhorse of the tool. In three fields and one click, you get a full DKIM diagnosis.
Enter your domain and DKIM selector
Type your sending domain (e.g. yourdomain.com) in the first field. In the selector field, enter the DKIM selector your mail provider configured — for mySMTP users, this is typically mysmtp or mysmtp2.
Not sure what your selector is? Check your email headers in Gmail by clicking More → Show original and searching for DKIM-Signature: — the s= tag is your selector.
You can also click any of the quick selector chips below the search bar to auto-fill the selector field. The green ✦ mysmtp chips are highlighted as the default selectors for mySMTP customers.
Read the status banner
After clicking Check DKIM, the first thing you'll see is a status banner confirming whether the record was found:
A green "found" banner means the DNS lookup succeeded and a DKIM record exists. An orange "not found" banner means the selector doesn't resolve — either the record was never created, or the selector name is wrong.
Check your score and grade
Beneath the status banner you'll find a score ring — a circular gauge showing your DKIM health score out of 100, and a letter grade from A to F.
The score is computed from a weighted combination of key strength, algorithm choice, hash algorithm, flag settings, and overall record validity. Here's what each grade means:
| Grade | Score Range | What it means |
|---|---|---|
| A | 90–100 | Excellent. Modern key size, best-practice algorithms, no issues. |
| B | 75–89 | Good. Minor improvements possible (e.g., key could be upgraded to 2048-bit). |
| C | 50–74 | Fair. Issues present — weak key or deprecated hash algorithm detected. |
| D | 25–49 | Poor. Significant vulnerabilities, likely a 512-bit or 1024-bit key. |
| F | 0–24 | Critical. Key may be revoked (empty p=), or MD5/SHA-1 hash in use. |
Review the tag breakdown
Below the score, every DKIM tag in the record is parsed and displayed in a structured table. Each row shows the tag name, its value, and a plain-English description of what it means:
Inspect the detail cards and key strength meter
The detail cards give you at-a-glance values for the most important DKIM attributes. Below them, the key strength meter shows visually how your RSA key size compares to current best practices:
2048-bit is the current industry minimum. 4096-bit offers stronger security but can cause DNS lookup failures in some environments due to UDP packet size limits. 1024-bit or smaller is considered broken and should be rotated immediately.
Review the health checks
The health check panel runs a series of automated tests against your DKIM record and flags any issues with a coloured dot and status badge:
Green dots are passing checks. Yellow dots are warnings — things that work but could be improved. Red dots are failures that should be addressed immediately.
Multi-Selector Scanner: Discover All Active Keys on a Domain
Most domains accumulate DKIM selectors over time — different providers, migrations, A/B tests, or simply selectors that were created and forgotten. The Multi-Selector Scanner automates the discovery process by testing a domain against a comprehensive list of known selectors simultaneously.
Enter the domain and click Scan
Just the domain name — no selector needed. The tool handles the rest.
A live progress bar tracks the scan as it runs. Each selector is queried in parallel where possible, so the full scan completes in a few seconds.
Review the results table
Once the scan completes, you'll see a results table listing every selector tested, its status, and — for found records — the key type and grade:
| Selector | Status | Key Type | Grade |
|---|---|---|---|
| mysmtp | Found | RSA-2048 | A |
| mysmtp2 | Found | RSA-2048 | A |
| selector1 | Not found | — | — |
| Not found | — | — |
Found selectors can be expanded to reveal the full record analysis inline. This is especially useful when auditing a domain that has been through multiple email provider changes.
Key Comparison: Audit Key Rotation and Migrations
When you rotate a DKIM key — or when you're migrating from one email provider to another — you need to verify that the old and new records are distinct, that algorithms match, and that tags are consistent. The Key Comparison section does this automatically.
Fill in Record A and Record B
Enter the domain and selector for each record you want to compare. These can be the same domain with two different selectors, or two entirely different domains.
Interpret the comparison result
The tool fetches both records, scores each one individually, and then runs a structured comparison across every tag. Key attributes checked:
- Public key match — are both records using the same private/public key pair?
- Algorithm match — do both use the same key type (RSA vs Ed25519)?
- Hash algorithm match — are the same hashing algorithms accepted?
- Tag-level diff — any tag that differs between the two records is listed explicitly.
In the example above, the public keys differ (expected after a rotation) but the algorithm and hash settings match — confirming a clean migration.
Common DKIM Issues and How to Fix Them
The tool will surface these automatically, but it helps to understand what you're looking at:
An empty p= tag means the key has been intentionally revoked. The record exists in DNS, but it actively signals to receiving servers that the key is no longer valid. Any mail signed with the old key will fail verification. Fix: Add the new public key to your DNS, or remove the record entirely if the selector is no longer used.
Keys of 1024 bits or smaller can be factored with modern computing resources and are no longer considered secure. Gmail and other providers may start penalizing senders using these keys. Fix: Generate a new 2048-bit key pair through your ESP, publish the new public key under a new selector, and retire the old one.
If you enter the correct domain but get a "not found" result, the selector name you're using doesn't match what's in DNS. Fix: Log into your ESP dashboard, find the DKIM configuration, and copy the selector name exactly. Case matters.
After adding or changing a DKIM record, DNS changes can take anywhere from a few minutes to 48 hours to propagate globally. If you just made a change and the tool isn't finding it yet, wait and try again. Most changes propagate within 30–60 minutes.
Using the DKIM Checker with mySMTP
If you're sending email through mySMTP, your DKIM selectors will typically be mysmtp and mysmtp2 — which is why these are highlighted with a special chip in the tool's interface.
To verify your mySMTP DKIM setup:
- Open the DKIM Checker.
- Enter your sending domain in the first field.
- Click the ✦ mysmtp chip to auto-fill the selector.
- Click Check DKIM.
- You should see a green "DKIM Record Found" banner and a Grade A or B score.
If the check fails, contact mySMTP support — we'll help you verify that your DNS records are correctly configured and that the DKIM keys match what your account expects.
Other Tools in the mySMTP Deliverability Toolkit
The DKIM Checker is one of 15+ free browser tools built for email deliverability. Here are some tools that pair naturally with a DKIM check: