Exact live DNS lookup
DKIM selector checker
Query the exact selector used by a sender and inspect safe key metadata without exposing the public-key material in the free result.
INPUT
Signing identity
No selector yet? Extract d= and s= from a real message header locally.
RESULT
Selector key
Use the exact d= domain and s= selector from a DKIM-Signature header or the sender's DNS setup instructions.
- TXT answers
- Key type
- Public key
- Key flags
The free checker omits raw TXT data, public-key material, and remediation actions. A published key still requires a real message signature to prove DKIM authentication and alignment.
Verification model
A selector turns DKIM into an exact DNS question
The selector and signing domain form one exact TXT hostname. Guessing common selector names cannot prove that DKIM is absent.
A non-empty p= carries public-key data. An explicitly empty p= means the selector has been revoked.
Modern DKIM uses SHA-256. The key record can identify RSA or Ed25519 and can restrict allowed hash algorithms.
Primary references: RFC 6376 DKIM, RFC 8301 cryptographic updates, and RFC 8463 Ed25519-SHA256.