DKIM Selectors: How to Find and Manage Your Email Signing Keys

What Is a DKIM Selector?

A DKIM selector is a string that identifies a specific DKIM public key published in your domain's DNS. When an email server signs an outgoing message with DKIM, it includes the selector in the DKIM-Signature header. The receiving server then uses this selector to look up the corresponding public key and verify the signature.

The DNS lookup follows a specific pattern: selector._domainkey.domain. For example, if the selector is google and the domain is example.com, the receiving server queries:

google._domainkey.example.com  IN  TXT

The TXT record at that name contains the DKIM public key. You can look up any DKIM selector using our DKIM Checker tool.

How DKIM Signatures Reference Selectors

Every DKIM-signed email contains a DKIM-Signature header with several tags. The selector is specified by the s= tag:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=google;
  h=from:to:subject:date:message-id;
  bh=base64hash...;
  b=base64signature...

Key tags in the signature:

• d= — The signing domain (e.g., example.com).
• s= — The selector (e.g., google). This tells the receiver which DNS record to query.
• a= — The signing algorithm (rsa-sha256 or ed25519-sha256).
• h= — The headers included in the signature.
• b= — The actual cryptographic signature.
• bh= — The hash of the message body.

Common Selector Names by Email Provider

Different email providers use different default selector names. Knowing these is essential when troubleshooting DKIM issues or when you need to find which selectors a domain uses. Here are the most common ones:

• Google Workspace (Gmail): google (default). Custom selectors possible via Admin Console. Published as a CNAME to google._domainkey.googlehosted.com.
• Microsoft 365 (Outlook): selector1 and selector2. Published as CNAMEs to selector1-domain-com._domainkey.tenant.onmicrosoft.com.
• Amazon SES: xxxxxxxxxx (auto-generated unique strings). Three CNAME records are created during setup.
• Mailchimp: k1 (default). Published as a CNAME record.
• SendGrid: s1 and s2. Published as CNAME records.
• Zoho Mail: zoho or zmail. Published as TXT records.
• Proton Mail: protonmail, protonmail2, protonmail3. Published as CNAME records.
• Postfix/custom servers: Common choices include default, mail, dkim, or date-based selectors like 202604.

Finding Unknown DKIM Selectors

If you do not know which selectors a domain uses, there are several approaches to discover them:

1. Check email headers. Open a message from the domain, view the raw headers, and look for the DKIM-Signature header. The s= tag contains the selector.
2. Use a DKIM finder tool. Our DKIM Finder automatically scans common selector names for any domain and reports which ones have valid DKIM records published.
3. Try common names. Query DNS for known selector names: google._domainkey.domain, selector1._domainkey.domain, default._domainkey.domain, etc.
4. Send yourself an email. If you control the domain, send a test email and inspect the headers of the received message.

Note that DKIM selectors are not secret. They are published in DNS and included in every signed email header. Knowing a selector does not compromise security — the private key used for signing is never exposed.

Why Multiple Selectors Matter

A domain can (and often should) have multiple DKIM selectors. There are several reasons for this:

• Multiple email services. If you use Google Workspace for corporate email, SendGrid for transactional email, and Mailchimp for marketing, each service needs its own selector with its own key pair.
• Key rotation. When rotating keys, you publish the new key with a new selector before switching the signing server. This ensures there is no gap where signed messages cannot be verified.
• Testing. You can use a separate selector for test environments without affecting production email signatures.

DKIM Key Rotation Best Practices

DKIM keys should be rotated periodically to limit the impact of a potential key compromise. Here is the recommended rotation process:

1. Generate a new key pair. Use our DKIM Generator to create a new RSA (2048-bit) or Ed25519 key pair.
2. Publish the new key with a new selector. Add a new DNS TXT record at newselector._domainkey.domain. Wait for DNS propagation (check with our propagation checker).
3. Update the signing server. Configure your mail server to sign outgoing messages with the new selector and private key.
4. Keep the old key active. Messages signed with the old selector may still be in transit or in recipients' inboxes. Keep the old DNS record published for at least 7 days.
5. Remove the old key. After the grace period, delete the old selector's DNS record.

Recommended rotation frequency: every 6–12 months for RSA keys, or whenever you suspect a key may have been compromised. Ed25519 keys are shorter and faster but equally important to rotate. Learn more about DKIM configuration in our DKIM Setup Guide.

DKIM Selector Security Considerations

While DKIM selectors themselves are not sensitive, the keys they reference have security implications:

• Use 2048-bit RSA keys minimum. 1024-bit keys are considered weak and can be factored with sufficient computing resources. Always use 2048-bit or Ed25519 keys.
• Protect private keys. The DKIM private key should be stored securely on the mail server with restricted file permissions. Never share private keys via email or unencrypted channels.
• Monitor for unauthorized selectors. Periodically scan your domain's DNS for unexpected DKIM selectors. An attacker who gains access to your DNS could add a DKIM key and sign spoofed emails that pass authentication.
• Align with DMARC. Ensure your DMARC policy is set to enforce alignment between the DKIM signing domain and the From header domain.

Related Guides

• DKIM Setup Guide: Configure Email Signing for Your Domain
• SPF, DKIM, and DMARC Explained: The Email Authentication Trio
• Email Authentication Best Practices: SPF, DKIM, DMARC Setup Guide