Security check

DKIM check: prove your email is genuine

DKIM signs your mail cryptographically so the recipient can prove it wasn't tampered with. We check your selectors, key length and that signing works.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 β€” secure communications ISO 27001 Β· A.8.24 cryptography DKIM Β· RFC 6376

What we check

We find your DKIM selectors in DNS, verify that the public key exists and is at least 1024 bits (ideally 2048), and that it isn't a stale or revoked key but a valid signing key.

Why it matters

DKIM is the second pillar of DMARC. Without DKIM your entire spoofing protection rests on SPF, which breaks on forwarding. Weak or missing DKIM keys undermine trust in your email.

How Security Guru tests it

Common mistakes

  • 1024-bit key never rotated
  • DKIM exists but doesn't sign all outbound flows
  • Test selector left in production
  • Key revoked (p= empty) but still referenced

What you get in the report

  • Selectors found, key type and strength
  • Which sending flows lack DKIM
  • Recommended key length and rotation routine
  • Link to DMARC alignment

FAQ

How many selectors do I need?

One per sending provider is common (one for Google, one for your newsletter tool, etc.). We check that all your flows are actually signed.

Is 1024 bits insecure?

It's weaker than recommended. 2048 bits is today's standard. We flag 1024-bit keys that should be rotated up.

Do you read the email content?

No. The check is passive and only reads public DNS records.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan