Free tool
DKIM Checker.
Check whether your domain has DKIM signing configured, including the Microsoft 365 selectors, along with SPF and DMARC, and get plain-English findings you can act on.
Instant results
No waiting, no signup
Selectors checked
Finds M365 and common ones
SPF and DMARC too
All three protocols
Microsoft 365 aware
selector1 and selector2
What it does
What DKIM actually does.
DKIM signs every email your domain sends with a private key, and publishes the matching public key in DNS. A receiving server uses that public key to check two things: that the email really came from your server, and that nothing in it was changed on the way. It is the part of email authentication that proves a message is genuine, rather than just declaring who is allowed to send.
The catch is that DKIM is often half configured. Microsoft 365 supports it but leaves it off until you publish two selector records and switch it on, and many domains sit signing nothing. Because DKIM is the signal DMARC relies on most, a missing DKIM setup quietly weakens everything above it. The checker looks for your selectors and tells you if signing is actually in place.
Why it matters
The signal DMARC trusts most
DMARC passes when SPF or DKIM aligns with your domain, but DKIM is the more dependable of the two. SPF often breaks when email is forwarded, because the forwarding server is not on your list. A DKIM signature travels with the message, so it survives forwarding. That makes DKIM the control that lets you move a DMARC policy up to reject without losing legitimate email.
A domain with SPF but no DKIM can pass DMARC in simple cases and fail in common ones, which is exactly the kind of intermittent problem that erodes trust in your email. Getting DKIM signing on is one of the highest-value fixes for both security and deliverability.
How to set it up
Getting it on
- 1. Publish the selectors. For Microsoft 365, add the two CNAME records for selector1 and selector2 pointing to Microsoft's signing infrastructure.
- 2. Turn signing on. Enable DKIM for the domain in the Microsoft Defender portal. Both steps are needed before anything is signed.
- 3. Cover other senders. Any other service that sends as your domain (a CRM, a marketing tool) needs its own DKIM set up too.
- 4. Confirm with DMARC. With SPF and DKIM both in place, a DMARC policy can be moved safely toward reject.
Also worth checking: SPF checker, DMARC checker, or the full email security checker.
Common questions
DKIM, answered.
Want SPF, DKIM and DMARC configured properly rather than just checked? Book a Microsoft 365 security review. No obligation.
Book a review →What is a DKIM record?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email your domain sends. Your mail server signs each message with a private key, and the matching public key is published in DNS as a DKIM record. Receiving servers use that public key to confirm the email genuinely came from your server and was not altered on the way. Without DKIM, there is no way for a recipient to verify either of those things.
What is a DKIM selector?
A selector is a label that points to a specific DKIM public key in your DNS, so a domain can run more than one key at once and rotate them without breaking email. The DKIM record lives at selector._domainkey.yourdomain. Microsoft 365 uses two selectors, selector1 and selector2, which is how it rotates keys automatically. The checker above looks for the Microsoft 365 selectors as well as common ones.
How do I enable DKIM in Microsoft 365?
Microsoft 365 includes DKIM signing for your custom domain, but it is off by default. You publish two CNAME records (selector1._domainkey and selector2._domainkey) pointing to Microsoft's signing infrastructure, then switch DKIM on for the domain in the Microsoft Defender portal. Until you do both, your Microsoft 365 email is not DKIM signed, which weakens your DMARC protection.
Do I need SPF and DMARC as well?
Yes. DKIM proves a message was not tampered with and came from your server, but on its own it does not tell receiving servers what to do with email that fails. SPF defines who can send as you, and DMARC ties SPF and DKIM together with a policy and reporting. The three work as a set, which is why the checker looks at all of them together.
Why does DMARC need DKIM to work well?
DMARC passes when either SPF or DKIM aligns with your domain, but DKIM is the more reliable of the two, because it survives email being forwarded whereas SPF often does not. A DMARC policy with no DKIM in place is considerably weaker, and legitimate email is more likely to fail. Getting DKIM signing on is one of the highest-value steps toward a DMARC policy you can safely set to reject.
Is this DKIM checker free?
Yes, the checker is free and needs no signup. If you want SPF, DKIM and DMARC configured and tested for your domain rather than just checked, IronSights does that as part of a Microsoft 365 security review. No obligation to go further after using the tool.