DKIM CHECKER // SIGNATURES + KEYS
DKIM Checker: Selectors, Key Length, and Rotation, Verified
DKIM fails quietly: a selector nobody remembers publishing, a 1024-bit key from 2019, a signature that breaks only when one ESP rewrites a header. The Inboxes DKIM checker finds the selectors you actually sign with and verifies every one.
Inbox placement
54%
··%
· ·
Authentication
checking 130+ blacklists
Sample data. Seed results are estimates, not guarantees.
What is a dkim checker?
A DKIM checker verifies the cryptographic signature proving an email was authorized by your domain and unaltered in transit. The hard part is knowing what to check: selectors are not discoverable from DNS alone. Inboxes reads real message headers from your placement tests, extracts every selector you actually sign with, and validates each published key: correct v=DKIM1 syntax, key length (1024-bit keys are still common and increasingly distrusted by providers; 2048-bit is the standard to publish), and alignment between the d= domain and your From domain. It also tracks key age, because selectors that never rotate are a quiet risk. When a signature fails at a seed mailbox, you see the provider, the selector, and the reason. DKIM passing is necessary, not sufficient: reputation still does the heavy lifting, and seed placement stays a directional estimate.
// example DKIM DNS entry for example.com
s1._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1v2rk..." selector: s1 | key: rsa-2048 | age: 94 days | alignment: pass
A healthy key: 2048-bit, aligned with the From domain, rotated this quarter.
What you get
Dkim checker, done properly
Selector discovery from live mail
You cannot enumerate selectors by querying DNS. Inboxes pulls them from the DKIM-Signature headers of your real sends, including the ESP-managed ones you forgot exist.
Key strength, graded
1024-bit RSA keys still validate today but sit on borrowed time; some receivers already downgrade trust. The checker flags anything under 2048-bit with the exact record to replace.
Per-provider verification
A signature can survive Gmail and break at Outlook when an intermediary rewrites headers. The board shows dkim=pass or fail at every seed, not one synthetic verdict.
Rotation without breakage
Publish the new key at a fresh selector, confirm it verifies on the board, then retire the old one. Monitoring alerts you if either step goes sideways.
How it works
From send to fix list in four steps
Send a test through your ESP
A normal placement test carries your real DKIM-Signature headers to 27+ seed mailboxes.
See every selector
Inboxes lists each selector found, the signing domain, and the verification result per provider.
Audit the keys
Key length, syntax, alignment with your From domain, and age since last rotation, all in one readout.
Rotate and re-verify
Follow the guided rotation, re-test, and watch dkim=pass hold across the board before old keys retire.
The honest boundary: seed results are directional estimates and nobody can guarantee inbox placement. Inboxes finds the fixable causes, tells you exactly what to change, and monitors the result. No warmup networks, no bot opens, ever. Full detail on the methodology page.