inboxes.

DKIM CHECKER // SIGNATURES + KEYS

DKIM Checker: Selectors, Key Length, and Rotation, Verified

DKIM fails quietly: a selector nobody remembers publishing, a 1024-bit key from 2019, a signature that breaks only when one ESP rewrites a header. The Inboxes DKIM checker finds the selectors you actually sign with and verifies every one.

How testing works
Placement test live

Inbox placement

54%

··%

· ·

Authentication

SPF · DKIM · DMARC

checking 130+ blacklists

Sample data. Seed results are estimates, not guarantees.

12,400+ placement tests run 6+ providers 130+ blacklists Ranked fixes

What is a dkim checker?

A DKIM checker verifies the cryptographic signature proving an email was authorized by your domain and unaltered in transit. The hard part is knowing what to check: selectors are not discoverable from DNS alone. Inboxes reads real message headers from your placement tests, extracts every selector you actually sign with, and validates each published key: correct v=DKIM1 syntax, key length (1024-bit keys are still common and increasingly distrusted by providers; 2048-bit is the standard to publish), and alignment between the d= domain and your From domain. It also tracks key age, because selectors that never rotate are a quiet risk. When a signature fails at a seed mailbox, you see the provider, the selector, and the reason. DKIM passing is necessary, not sufficient: reputation still does the heavy lifting, and seed placement stays a directional estimate.

// example DKIM DNS entry for example.com

s1._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa;
  p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1v2rk..."
selector: s1 | key: rsa-2048 | age: 94 days | alignment: pass

A healthy key: 2048-bit, aligned with the From domain, rotated this quarter.

What you get

Dkim checker, done properly

Selector discovery from live mail

You cannot enumerate selectors by querying DNS. Inboxes pulls them from the DKIM-Signature headers of your real sends, including the ESP-managed ones you forgot exist.

Key strength, graded

1024-bit RSA keys still validate today but sit on borrowed time; some receivers already downgrade trust. The checker flags anything under 2048-bit with the exact record to replace.

Per-provider verification

A signature can survive Gmail and break at Outlook when an intermediary rewrites headers. The board shows dkim=pass or fail at every seed, not one synthetic verdict.

Rotation without breakage

Publish the new key at a fresh selector, confirm it verifies on the board, then retire the old one. Monitoring alerts you if either step goes sideways.

How it works

From send to fix list in four steps

01

Send a test through your ESP

A normal placement test carries your real DKIM-Signature headers to 27+ seed mailboxes.

02

See every selector

Inboxes lists each selector found, the signing domain, and the verification result per provider.

03

Audit the keys

Key length, syntax, alignment with your From domain, and age since last rotation, all in one readout.

04

Rotate and re-verify

Follow the guided rotation, re-test, and watch dkim=pass hold across the board before old keys retire.

The honest boundary: seed results are directional estimates and nobody can guarantee inbox placement. Inboxes finds the fixable causes, tells you exactly what to change, and monitors the result. No warmup networks, no bot opens, ever. Full detail on the methodology page.

Related deliverability tools

Run your first test in about five minutes