🔒 OSH.co.za Domain Deliverability Checker

DKIM (DomainKeys Identified Mail, defined in RFC 6376) is an email authentication method that allows a sending domain to cryptographically sign outgoing messages. The sending mail server attaches a digital signature in the DKIM-Signature header of each email. The receiving mail server then retrieves the public key from the sender's DNS (at {selector}._domainkey.{domain}) and uses it to verify the signature. A passing DKIM check confirms that the email was sent by an authorised sender for that domain and that the message body and selected headers were not altered in transit. DKIM is one of the two authentication methods used by DMARC (alongside SPF), and at least one must pass and align for a DMARC pass.

A DKIM selector is a label that identifies which public key to use for verifying a DKIM signature. It forms the subdomain used for DNS lookup: {selector}._domainkey.{domain}. Selectors allow a domain to publish multiple DKIM keys simultaneously — for example, one per email provider or one for each rotation period. The selector is included in the DKIM-Signature header of every signed email so the receiving server knows which DNS record to fetch. Common selectors include google (Google Workspace), selector1 / selector2 (Microsoft 365), s1 / s2 (SendGrid), and k1 (Mailchimp). If you use a provider whose selector is not in the common list, use the custom selector field above to check it manually.

You should have one DKIM record for every service authorised to send email on behalf of your domain. If you send through Google Workspace, Microsoft 365, and a marketing platform like Mailchimp, you would typically have three separate DKIM records — one for each provider, each under a different selector. There is no hard limit. Having multiple DKIM records is normal and recommended: it lets you independently rotate or revoke individual keys without affecting other senders. What you should avoid is having no DKIM records, or having duplicate records under the same selector (which would cause ambiguous key lookups). Google and Yahoo now require DKIM for bulk senders as a condition of inbox delivery.

DKIM keys use RSA public key cryptography. The key strength (in bits) determines how difficult it is to crack the key. Older DKIM implementations used 1024-bit keys, which are now considered weak — a well-resourced attacker could potentially factor a 1024-bit RSA key. The current recommendation is to use at least 2048-bit keys, and some providers generate 4096-bit keys for extra security. This checker estimates key strength by examining the length of the base64-encoded public key in the p= field of the DKIM record. If your key is shown as 1024-bit (or lower), you should rotate to a 2048-bit key using your email provider's control panel. Google Workspace, Microsoft 365, and most modern ESPs support 2048-bit DKIM keys.