What is DNS propagation?

DNS propagation is the time it takes for a DNS record change to be visible to resolvers worldwide. Each resolver caches records for the duration of the record's TTL (time to live). Until that cache expires, the resolver returns the old answer: which is why a new record can be live at one resolver and stale at another for minutes to days.

How long does DNS propagation take?

Most propagation completes within minutes to a few hours. The upper bound is the record's TTL: commonly 300 seconds (5 minutes) to 86400 seconds (24 hours). Some ISP resolvers ignore short TTLs and cache for longer, which is why a small number of resolvers can lag for a day or more.

Why do different DNS resolvers show different results?

Each resolver caches independently. When you change a DNS record, resolvers that already had the old record cached will keep serving it until their TTL expires, while resolvers that had no cached entry fetch the new record immediately. Geo-aware DNS (GeoDNS) can also legitimately return different answers to resolvers in different regions.

What is a TTL in DNS?

TTL (time to live) is the number of seconds a resolver is allowed to cache a DNS record before re-fetching it from the authoritative server. Lower TTLs mean faster propagation but more queries; higher TTLs mean slower propagation but better performance and lower load.

How does WhereIsDNS check propagation?

WhereIsDNS sends DNS-over-HTTPS (DoH) queries to 14 public resolvers in parallel: Cloudflare, Google, Quad9, OpenDNS, AdGuard, NextDNS, Yandex, AliDNS, DNSPod, CleanBrowsing, Mullvad, ControlD, Hurricane Electric, and DNS4EU. Results stream in as each resolver responds. The consensus row tells you how many resolvers agree.

Yes, completely free with no signup. The site is supported by unobtrusive Google AdSense ads.

DKIM Check

Check DKIM public keys for any domain + selector. We query ._domainkey. automatically across 14 DNS resolvers.

What is DKIM?

DKIM (DomainKeys Identified Mail) is the middle leg of email authentication. The sending mail server signs outgoing messages with a private key; the matching public key is published in DNS. Receivers verify the signature against the published key.

DKIM keys live at <selector>._domainkey.<your domain> as TXT records. You need both the domain and the selector to look one up. Use the two fields above: we'll assemble the query for you.

Finding the selector

Each mail provider uses its own selector. Common ones:

Google Workspace: google (the default, configurable)
Microsoft 365: selector1 and selector2
Mailchimp: k1
SendGrid: typically s1, s2, or a custom one set in the dashboard
Mailgun: mg or a domain-specific selector
Amazon SES: random-looking strings like abc123def456._domainkey

If you don't know the selector, inspect a real message from the provider: the DKIM-Signature header includes s=<selector>.

Anatomy of a DKIM record

A typical DKIM TXT looks like: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB.... The tags:

v=DKIM1: version marker.
k=: key type (rsa by default; ed25519 for newer keys).
p=: the public key itself, base64-encoded.
s=: service type (optional; email is standard).

Common errors and pitfalls

Wrong selector: most common cause of "no record found." Each provider uses different selectors; a Google-only selector won't exist on a Mailchimp-only domain.
Key too long for a single TXT chunk: RSA keys often exceed 255 characters, so they're split across multiple quoted strings. WhereIsDNS reassembles them on display.
Key revoked (p= empty): a DKIM record with no key value is a deliberate "this selector is retired" signal. Mail signed with it will fail.
Wrong record type: DKIM is published as TXT. Some old documentation references type 16 specifically: same thing.

FAQ

Can a domain have multiple DKIM keys?

Yes: one per selector. A domain that sends through Google Workspace + Mailchimp + a custom server can have three DKIM records at three different selector names.

How often should DKIM keys be rotated?

Annual rotation is the conservative recommendation, especially for long-lived RSA keys. Many providers automate this; check whether yours does.

Why does my DKIM-Signature say "fail" but the record exists?

Usually a key mismatch (you re-generated the key but didn't update DNS) or message-body modification (a mailing list footer was appended, breaking the body hash). Compare the p= in DNS to what the sending server actually has.

Background reading

See the DKIM glossary entry, plus SPF and DMARC. The DNS Records Explained guide ties them together.

All record-type lookups

WhereIsDNS has dedicated pages for each common DNS record type. Each one defaults the tool to that record type and includes background on what the record means and what to look for.

A Record Lookup: IPv4 addresses for a hostname
AAAA Record Lookup: IPv6 addresses for a hostname
CNAME Lookup: Aliases pointing one hostname to another
MX Record Lookup: Mail servers for a domain (with priorities)
NS Record Lookup: Authoritative nameservers for a domain
TXT Record Lookup: SPF, DKIM, DMARC, and other text records
SOA Record Lookup: Authority metadata for a DNS zone
CAA Record Lookup: Which CAs may issue certs for the domain
SRV Record Lookup: Service location records (SIP, XMPP, _autodiscover, etc.)
DNSKEY Record Lookup: DNSSEC public keys for a zone
DS Record Lookup: DNSSEC delegation signer at the parent zone
HTTPS Record Lookup: Modern HTTPS service binding (ALPN, ECH, etc.)
SVCB Record Lookup: Generic service binding (RFC 9460)
PTR (Reverse DNS) Lookup: Reverse DNS: IP back to a hostname
DMARC Check: DMARC policy at _dmarc.<domain>
SPF Check: SPF (v=spf1) record on the domain apex
Home (defaults to A records)