Skip to content

Free tool · Key length measured, not guessed

Is your DKIM key
actually strong?

DKIM signs every email so receivers know it's really you. Look up your record, read every tag in plain language, and see the true strength of the key behind it.

No selector? We'll scan the 17 that big providers publish under. The key length is measured with WebCrypto, not guessed — all in your browser.

Questions, answered honestly

What is a DKIM selector and why do I need one?

DKIM keys live at selector._domainkey.yourdomain, where the selector is a label chosen by whoever set up sending (google, selector1, s1…). A domain can hold many keys under different selectors. If you don't know yours, this tool scans the 17 selectors major providers use by default — but a custom selector has to be entered manually, because there's no way to enumerate them from outside.

How do you measure the key length — and why does it matter?

We import the public key with the browser's WebCrypto API and read its actual modulus, rather than estimating from the base64 string length (which is misleading). Key length matters because Gmail and others increasingly distrust or reject RSA keys under 1024 bits, and 2048 is the current standard. A short key silently weakens every signature you send.

My record shows an empty p= value. Is that bad?

It means the key was revoked. An empty public key is the official way to retire a selector — but if it's a selector you still sign with, every message fails DKIM. Either repoint your sender to a live selector or publish a fresh key.

What's the testing flag (t=y)?

It tells receivers to treat your DKIM as if it weren't deployed — useful while you confirm signing works, harmful if you forget to remove it. Many setups leave t=y in place for years, quietly getting none of DKIM's benefit. The checker flags it.

Should I use RSA or Ed25519 keys?

Ed25519 is modern, compact and strong, but some older receivers still only verify RSA — so the robust setup is to publish both under different selectors and sign with each. If you're picking one today, 2048-bit RSA is the safe universal choice.

Keep going

More free tools

All tools →

DKIM Generator

Need a fresh 2048-bit key? Generate one in your browser.

Domain Health Checker

DKIM in context — checked with SPF, DMARC and MX in one pass.

Email Header Analyzer

See whether a real message's DKIM signature actually verified and aligned.

Check it once here. Monitored on every send.

Norbelys checks DKIM — selector, key length, alignment — on every domain you connect, and keeps watching after, so a revoked or weakened key gets flagged before your replies dry up.

Start sending

From $29/mo · Cancel anytime