Skip to content
POST AI agent ready /v1/dns-security/dkim-check

DKIM Check API - Look Up DomainKeys DNS Records

Queries DNS for {selector}._domainkey.{domain} TXT records. If no selector is given, tries common fallbacks: default, google, s1, k1. Returns the raw DKIM record, the selector that matched, the key type (rsa by default), and an approximate public-key bit length parsed from the base64-encoded p= tag.

Parameters

stringrequired

Domain to inspect.

string

DKIM selector. Defaults to trying default, google, s1, k1.

Code examples

curl -X POST https://api.botoi.com/v1/dns-security/dkim-check \
  -H "Content-Type: application/json" \
  -d '{"domain":"stripe.com","selector":"google"}'

When to use this API

Verify DKIM before sending from a new domain

After adding the DKIM TXT record in your DNS provider, call this endpoint to confirm propagation. Saves the "sent 10,000 mails before realizing DKIM was missing" problem.

Audit email authentication posture across domains

For each domain your company owns, check has_dkim and the key length. Keys under 1024 bits are considered weak and should be rotated to 2048-bit RSA or ed25519.

Diagnose deliverability complaints

When a customer reports "emails landing in spam", pull DKIM + SPF + DMARC for their domain in one glance. Missing or misconfigured DKIM is one of the top three causes.

Frequently asked questions

What if I don't know the selector?
Leave selector empty. The endpoint tries default, google, s1, and k1 automatically. Google Workspace uses "google"; Amazon SES uses random selectors; Mailchimp uses "k1" and "k2". If none match, has_dkim is false.
How is key_type detected?
Parsed from the k= tag in the record. Missing k= defaults to "rsa" per RFC 6376. ed25519 keys are indicated explicitly.
Is public_key_length exact?
It is approximate. The base64-encoded p= value is decoded and the bit length estimated from the DER encoding overhead. The value is accurate to within a few bits for standard RSA keys; ed25519 keys always read ~256 bits.
Can a domain have multiple selectors?
Yes. Production setups rotate selectors for key rollover, and third-party services (ESPs, transactional senders) use their own selectors on your domain. Call this endpoint once per selector.
Does DKIM alone guarantee deliverability?
No. DKIM proves the sender controls the domain's signing key. Deliverability depends on DKIM + SPF alignment under DMARC plus sender reputation. Use /v1/dns-security/dmarc-check and /v1/dns-security/spf-check for the full picture.

Get your API key

Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.

Sign up free View full docs