DKIM lookup is the process of checking a domain's DKIM selector records in DNS and confirming that real messages are being signed with the expected selector and domain alignment.

If you are searching for , , , or , this guide explains both the DNS lookup and the message-validation workflow.

Quick answer

DKIM lookup should confirm:

  • the selector exists in DNS
  • the public key record is valid
  • the sending platform is using the expected selector
  • real messages show the expected DKIM result in headers

How DKIM lookup works

A DKIM record is published at:

When a message is sent, the headers typically include a selector in the field and a signing domain in the field. The receiver uses those values to locate the DKIM public key and verify the signature.

That means a DKIM lookup workflow needs both:

  • DNS visibility
  • message-level evidence

What a selector is

A selector is a prefix that identifies which public key should be used to validate a signature.

Selectors help teams:

  • rotate keys safely
  • separate environments or platforms
  • move between providers without one risky cutover

If the provider signs with selector , your DNS must publish .

Example DKIM lookup record

The DNS record commonly looks like this:

What to inspect:

  • confirms the record type
  • identifies the key type when present
  • contains the public key data

If is empty or malformed, the lookup may succeed at the DNS layer while signature validation still fails.

Step-by-step DKIM lookup workflow

  1. Capture the selector from the provider config or a real email header.
  2. Query the selector in DNS.
  3. Confirm the TXT record format is valid.
  4. Send a real test email.
  5. Inspect headers and confirm the message shows the expected selector and result.
  6. Review DMARC alignment if the From domain must enforce policy.

For the DNS check itself, use DKIM checker.

How to validate a real signed message

A DNS lookup alone is not enough. Also inspect the delivered message.

Useful fields include:

  • selector in
  • signing domain in
  • authentication summary in

Use Email header analyzer when you need a faster read of those fields.

Example header fields to inspect

In a real message header, you will often see something like:

This lets you verify three things quickly:

  • the signing domain in
  • the selector in
  • the receiver's final result in

That is the practical bridge between DNS lookup and real-world deliverability verification.

Common DKIM lookup failures

Selector does not exist

The sender references a selector that was never published or was removed too early during rotation.

Wrong selector in provider config

The DNS record exists, but the sending platform signs with a different selector than expected.

DNS propagation lag

The key was updated in the sending platform before the DNS change was fully visible.

Split or malformed TXT values

The record is present, but formatting errors make the key unusable.

Alignment mismatch

DKIM can pass cryptographically and still contribute poorly to DMARC if the signing domain does not align with the visible From domain strategy.

DKIM lookup and key rotation

Rotation is where many DKIM problems begin.

Safer rotation pattern:

  1. publish the new selector in DNS
  2. wait for propagation
  3. switch the sender to the new selector
  4. validate new messages
  5. keep the old selector active until queues drain
  6. remove the old selector only after confirmation

That sequence avoids the most common "messages suddenly lost DKIM pass" incident.

DKIM troubleshooting table

ProblemLikely root causeFastest check
after provider switchSelector mismatchCompare provider selector with DNS
Record exists but mail still failsHeader uses different valueInspect header
Intermittent failuresRotation or propagation overlapCheck old and new selectors together
DMARC fails while DKIM passesAlignment mismatchCompare with visible From domain

Use DKIM lookup with broader auth checks

DKIM should be evaluated alongside:

This gives teams both sender authentication detail and policy context.

Helpful tools

FAQ

What is DKIM lookup?

It is the process of checking a selector's DKIM record in DNS and confirming that real messages are signed with the expected selector and domain.

What is a DKIM selector?

It is the prefix used to locate the DKIM public key for a domain.

Is a DKIM lookup enough to prove mail is healthy?

No. You should also validate a real message and review SPF and DMARC alignment.

What should I do if DKIM suddenly fails?

Check the active selector, confirm the DNS record exists and propagated correctly, and inspect whether the sender configuration changed during rotation or provider migration.

Final take

DKIM lookup is part DNS verification and part live-message verification. Teams that check both sides catch selector drift faster and keep sender trust more stable through change windows.