DKIM Selectors — What They Are and How to Use Them
What is a DKIM selector
A DKIM selector is a text identifier that links the digital signature in an email to the corresponding public key in DNS. Without a selector, the recipient wouldn't know which key to use for verification.
The selector appears in two places:
- In the email header as the
s=tag withinDKIM-Signature— tells the recipient which key to look up. - In DNS as part of the TXT record name in the format
{selector}._domainkey.{domain}— contains the actual public key.
A single domain can have any number of selectors. Each selector points to a different key pair, enabling multiple sending services and seamless key rotation.
How selectors work in practice
The entire process is automatic and transparent to both senders and recipients.
Signing the email
- The sending server selects a selector (e.g.,
mail2024) and its corresponding private key. - It computes a hash of the message body and selected headers.
- It signs the hash with the private key and inserts the result into the
DKIM-Signatureheader:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=mail2024;
h=from:to:subject:date; bh=...; b=...
Verifying the signature
- The receiving server reads the domain (
d=example.com) and selector (s=mail2024) from theDKIM-Signatureheader. - It queries DNS for the TXT record at
mail2024._domainkey.example.comto retrieve the public key. - It verifies the signature using the public key — if it matches, DKIM passes.
If the DNS record for the given selector doesn't exist or contains an error, verification fails.
How to find a domain's DKIM selector
Selectors aren't publicly advertised — you find them in the headers of received emails.
From email headers
Open the source of any email from the domain and look for the DKIM-Signature header. The s= tag value is the selector:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google;
h=from:to:subject:date:mime-version; bh=...; b=...
In this example, the selector is google — typical for Google Workspace.
Via DNS query
If you know the selector, you can verify the key directly:
dig google._domainkey.example.com TXT +short
The response should contain a record starting with v=DKIM1; k=rsa; p=.... If DNS returns nothing, the selector doesn't exist or is incorrect.
Common provider selectors
Each email provider uses its own naming convention for selectors:
| Provider | Typical selector | DNS record |
|---|---|---|
| Google Workspace | google |
google._domainkey.example.com |
| Microsoft 365 | selector1, selector2 |
selector1._domainkey.example.com (CNAME) |
| Mailchimp | k1 |
k1._domainkey.example.com |
| SendGrid | s1, s2 |
s1._domainkey.example.com |
| Amazon SES | generated hash | depends on configuration |
Microsoft 365 creates two selectors (selector1 and selector2) by default to enable automatic key rotation. Google Workspace uses the google selector, but you can configure a custom one.
Selector naming conventions
RFC 6376 doesn't prescribe naming rules for selectors. A selector can contain alphanumeric characters and hyphens. It can also consist of multiple parts separated by dots (e.g., march2025.europe). Three approaches work well in practice:
By service
google._domainkey.example.com
mailchimp._domainkey.example.com
helpdesk._domainkey.example.com
Advantage: you can immediately identify which service uses each selector.
By time
mail202601._domainkey.example.com
mail202607._domainkey.example.com
Advantage: easy to track key age and plan rotation schedules.
Combined service and time
google-2026q1._domainkey.example.com
sendgrid-2026q3._domainkey.example.com
A similar approach is described in the M3AAWG DKIM Key Rotation Best Practices — naming that includes service, date, and key length simplifies management and auditing.
Important: never reuse a selector name after deleting its key. If a recipient verifies an older email signed with the original key, verification will fail because DNS returns a different public key. Always create a new, unique name.
Key rotation with selectors
Regular rotation of DKIM keys reduces the risk of private key compromise. Selectors enable rotation without downtime:
Rotation procedure
- Generate a new key pair with a new selector (e.g.,
mail202607). - Publish the new public key in DNS as a TXT record at
mail202607._domainkey.example.com. - Wait for DNS propagation — verify the new record is available (typically within 1 hour).
- Switch signing to the new selector and private key.
- Keep the old DNS record active for at least 7 days — emails signed with the old key that are still in queues will continue to verify.
- Remove the old DNS record after the transition period.
How often to rotate
| Scenario | Recommended frequency |
|---|---|
| Standard domain | Every 6 months |
| Bulk sender (marketing, transactional) | Every 3 months |
| High-risk environment (finance, healthcare) | Monthly |
M3AAWG recommends rotation at least every 6 months. If you're using 1024-bit keys, rotate more frequently or upgrade to 2048-bit keys — RFC 8301 strongly recommends a minimum of 2048 bits for senders.
Multiple selectors for different services
If your domain sends email from multiple services (corporate mail server, marketing platform, helpdesk, CRM), each service should have its own selector and key pair.
Example DNS configuration for example.com:
; Corporate email (Google Workspace)
google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
; Marketing (Mailchimp)
k1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."
; Helpdesk (Freshdesk)
freshdesk._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
Benefits of separate selectors:
- Isolation: compromising one service's key doesn't affect the others.
- Independent rotation: you can rotate each service on its own schedule.
- Diagnostics: DMARC reports make it easy to identify which service has a signing problem.
Common selector mistakes
Selector doesn't exist in DNS
The most common error — the selector in DKIM-Signature has no corresponding DNS record. The recipient returns a permerror result. Verify that the selector name in your server configuration exactly matches the DNS record.
Selector and key mismatch
After key rotation, the server may sign with a new key while DNS still contains the old public key under a different selector. Verify that the server uses the selector matching the current DNS record.
Too many active selectors
A DNS zone with dozens of DKIM selectors becomes unwieldy and error-prone. Keep a maximum of 2–3 active selectors per service and remove old records after rotation.
Unrevoked compromised key
If you suspect a private key has been compromised, act immediately:
- Generate a new key pair with a new selector.
- Switch signing to the new key.
- Either delete the old DNS record or set an empty
p=value — this explicitly revokes the key.
Checking your domain's selectors
For a systematic check of your DKIM selectors:
- Verify your DKIM record with our analyzer for each selector you use.
- Confirm that all services sending email on behalf of your domain have working DKIM signing.
- Check key lengths — they should be at least 2048 bits.
- Check your complete domain security including SPF and DMARC.
Regular monitoring of DKIM selectors and keys is part of email authentication maintenance. A one-time setup isn't enough — keys age, services change, and configurations can break during migrations or updates.
