Verify DKIM TXT record by domain and selector
DKIM (DomainKeys Identified Mail) lets receiving mail servers verify that an email was sent from the claimed domain and was not altered in transit. The sending server signs message headers with a private key; recipients verify the signature using the public key published in DNS.
A DKIM selector is a label that allows multiple DKIM keys for one domain. It appears in the DKIM-Signature email header as s=. Find yours in any outgoing email's raw headers. Common selectors: google, default, mail, s1, selector1/selector2, k1.
Minimum 1024 bits, recommended 2048 bits. Keys shorter than 1024 bits are unsafe since 2012. Modern providers use 2048-bit keys. Ed25519 provides equivalent security with a much shorter key.
An empty p= means the DKIM key is revoked. Emails with that selector will fail verification. This is the recommended retirement procedure â publish p= empty before removing the DNS record.