DKIM record checker
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound mail so receivers can verify it was not altered and came from the domain. Enter a domain to probe common provider selectors for its published DKIM keys.
Runs the full report, including this check.
How DKIM discovery works
DKIM keys live at selector._domainkey.yourdomain. The
selector is chosen by the sender and cannot be enumerated from DNS,
so scan.mx probes the selectors used by the major providers (Google,
Microsoft 365, Proton, Zoho, Fastmail, and others) plus common
generic ones. Finding no key is reported as informational, not a
failure, since a custom selector may still exist.
Check a specific selector
If you know the selector (it appears in the DKIM-Signature header of
a received message as s=), the
API and
MCP check_dkim tool
accept an explicit selector for an exact lookup.