DMARCER
Sign in Get started
Platform

DKIM, discovered and kept healthy

DKIM cryptographically proves your mail wasn't tampered with in transit - but it fails silently when keys are too short, hashes are deprecated, or selectors go stale, and nobody notices until authentication breaks. DMARCER finds every selector you actually use and watches them for you.

Auto

Selector discovery from DNS & reports

4

Health checks on every selector

0–100

Findings feed your score, raise alerts

DKIM is set-and-forget – until it quietly breaks

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message you send, so a receiving server can prove the mail genuinely came from your domain and wasn’t altered on the way. The signature is created with a private key held by your sending service and checked against a matching public key you publish in DNS under a label called a selector. When it works, it’s invisible. That’s the trap.

DKIM doesn’t throw an error when it weakens. A key that was fine years ago is now too short to be trusted; a hashing method has since been deprecated; a selector you rotated away from is still sitting in your zone; a tag in the record is misconfigured. None of these stops a message leaving – they just slowly erode the trust receivers place in your mail until one stops accepting the signature, your DMARC alignment breaks, and legitimate mail starts landing in spam. The failure is silent, so it’s found late.

Why this matters – whoever you are

  • Running your own domains? You learn a key has weakened or a selector has gone stale before a receiver does – not after your mail starts failing.
  • Managing clients? You keep DKIM healthy across every client without manually auditing each one’s selectors by hand.

First, find the selectors you actually use

You can’t check what you can’t see – and most teams have no single list of every DKIM selector in play, because each sending service adds its own. DMARCER builds that list for you from two independent sources: the records published in your DNS zone, and the selectors that show up in your DMARC reports as mail is actually sent. Together they reveal the selectors genuinely in use, including ones you’d forgotten or never knew were there. No manual list to compile or maintain.

From your DNS zone

DMARCER reads the DKIM records published under your domain, picking up the selectors that are already in place – including legacy ones left behind by past services.

From your DMARC reports

The reports mail providers send back name the selectors your real mail is being signed with – surfacing live senders you might not have on any list.

Then check each one, continuously

Discovery is only the start. DMARCER re-checks every selector it finds, watching for the specific problems that erode DKIM without raising an obvious error – so a slow decline is caught while it’s still easy to fix.

Four ways DKIM quietly goes wrong

Each selector is tested against the failure modes that matter, and each finding is plain enough to act on or forward to a client without decoding jargon.

  • Weak key length – a key too short to be considered secure today is flagged for an upgrade
  • Deprecated hash – an outdated signing method that receivers increasingly distrust is called out
  • Rotation staleness – a selector that hasn’t been refreshed in too long, or was retired but never removed
  • Tag misconfiguration – a malformed or incorrect setting in the DKIM record itself

Findings that count, not findings that sit in a list

Every DKIM finding feeds directly into your 0–100 security score, so the health of your signing keys shows up in the single number you track rather than buried in a report nobody opens. And because DMARCER watches continuously, any regression – a key downgraded, a selector gone stale, a record broken during a migration – raises an alert the moment it happens, so you act before a receiver stops trusting your mail. See how the score works →

If you run your own domains

You get a standing, complete inventory of your DKIM selectors and an early warning the moment one weakens – without needing an email-security specialist to audit them by hand.

If you manage clients

You keep DKIM healthy across every client from one place, catch regressions as tickets, and show clients their signing posture is being actively maintained, not assumed.

Where this fits in the platform

Continuous monitoring →

The engine that re-checks every selector.

Security score →

How DKIM health rolls into one number.

Alerts & reporting →

Told the moment a selector regresses.

What is DKIM? →

The basics, in plain English.

Is your DKIM actually healthy?

Run a free check to see your selectors and keys – and exactly what needs attention.

Check your domain
Free domain check

Check your domain security

See how your domain's security compares to your competitors.