Home/ Glossary/ DKIM Selector

DKIM Selector (DKIM Selector)

Security Glossary - Email Authentication

Definition: A DKIM selector is a string used to locate the DKIM public key in DNS. The public key is published as a TXT record at selector._domainkey.yourdomain.com. Different email services use different selectors, allowing multiple DKIM key pairs to coexist for the same domain.

Why You Should Care About DKIM Selector

Selectors allow a domain to use multiple DKIM keys simultaneously, which is essential when you use multiple email services. Google Workspace might use selector google, SendGrid might use selector s1, and your marketing platform might use selector mktg. Each service signs with its own private key and specifies its selector in the DKIM-Signature header so receivers know which public key to verify against.

Selectors also enable key rotation without downtime. You can publish a new key under a new selector, configure your email server to sign with the new key, and then remove the old selector's DNS record after a transition period. This prevents verification failures during the switchover.

When setting up DKIM, your email provider tells you the selector name and the corresponding DNS record to publish. If you change providers, you need to add the new provider's selector and remove the old one. Dangling DKIM records for decommissioned services do not cause delivery problems but should be cleaned up.

Checking Your Setup

A DNS health checker queries DKIM selectors for common email providers associated with your domain. You can also test specific selectors by looking up selector._domainkey.yourdomain.com as a TXT record.

Check DNS Health

Questions and Answers

How do I find my DKIM selector?
Check your email provider's documentation or admin panel. You can also find it by sending a test email and examining the DKIM-Signature header, which includes an s= field containing the selector name. Google Workspace typically uses selectors like google or 20230601.
Can I choose any selector name?
Most email providers assign a fixed selector name. If you run your own mail server, you can choose any string. Common conventions include the provider name, date-based names for key rotation, or simple identifiers like s1, s2.

Learn More

DomainKeys Identified Mail DKIM Alignment TXT Record (Text Record) Domain-based Message Authentication, Reporting and Conformance Email Deliverability
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.