DKIM record checker

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound mail so receivers can verify it was not altered and came from the domain. Enter a domain to probe common provider selectors for its published DKIM keys.

Runs the full report, including this check.

How DKIM discovery works

DKIM keys live at selector._domainkey.yourdomain. The selector is chosen by the sender and cannot be enumerated from DNS, so scan.mx probes the selectors used by the major providers (Google, Microsoft 365, Proton, Zoho, Fastmail, and others) plus common generic ones. Finding no key is reported as informational, not a failure, since a custom selector may still exist.

Check a specific selector

If you know the selector (it appears in the DKIM-Signature header of a received message as s=), the API and MCP check_dkim tool accept an explicit selector for an exact lookup.

Frequently asked questions

Why does scan.mx say no DKIM key was found?
DKIM selectors cannot be listed from DNS. scan.mx checks the selectors used by common providers, but a domain may sign with a custom selector the probe does not cover. Check the s= value in a received message DKIM-Signature header and look up that exact selector.
How do I find my DKIM selector?
Send yourself an email and view the raw headers. The DKIM-Signature header contains d= (your domain) and s= (the selector). Look up selector._domainkey.yourdomain to see the published key.