How to Find DKIM Selectors for Any Domain
DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email was sent by an authorized server and was not tampered with in transit. Each DKIM signature references a selector that points to the public key in DNS. To verify or troubleshoot DKIM, you first need to know which selectors a domain uses.
Discover DKIM selectors automatically
Use our free DKIM Finder tool to scan for known DKIM selectors and retrieve the public keys for any domain.
Step 1: Check Email Headers
The most reliable way to find a DKIM selector is to inspect the headers of an email sent from the domain. In Gmail, click the three dots and select "Show original." Look for the DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com;
s=selector1; c=relaxed/relaxed;
h=from:to:subject:date; bh=...; b=...The s= tag contains the selector. In this example, the selector is selector1.
Step 2: Use the DKIM Finder Tool
If you do not have an email to inspect, use the DKIM Finder tool. It tests hundreds of common selectors used by popular email providers including:
- Google Workspace:
google,20230601 - Microsoft 365:
selector1,selector2 - Mailchimp:
k1,k2 - SendGrid:
s1,s2 - Amazon SES:
224i4yxa5dv7c2xz3...dkim.amazonses.com
Step 3: Look Up the DKIM Public Key
Once you know the selector, query the DKIM DNS record directly:
dig selector1._domainkey.example.com TXT +shortThe result should contain a v=DKIM1 record with the public key. If the query returns nothing, the selector is wrong, the record is missing, or it has not propagated yet. Verify with the DKIM Checker for a detailed analysis.
Step 4: Verify All Active Selectors
If your domain uses multiple email services, each one typically has its own DKIM selector. Check email headers from each service to collect all active selectors. Verify each one resolves correctly in DNS. Old selectors from decommissioned services can be removed to keep your DNS clean.
Step 5: Rotate Selectors Periodically
Best practice is to rotate DKIM keys every 6 to 12 months. Use a new selector for the new key (e.g., switch from s202601 to s202607). Publish the new key, update your mail server to sign with it, and remove the old DNS record after a transition period. The DKIM Finder can confirm both old and new selectors are active during the transition.
Frequently Asked Questions
What is a DKIM selector?
A DKIM selector is a string used to locate the DKIM public key in DNS. It is published as a TXT record at selector._domainkey.example.com. Different selectors allow a domain to use multiple DKIM keys, for example one per email service provider.
Can a domain have multiple DKIM selectors?
Yes, a domain can have unlimited DKIM selectors. This is common when using multiple email services. For example, Google Workspace might use google as a selector while a marketing platform uses mktg. Each service signs with its own key and selector.
How do I find the DKIM selector if I don't know it?
The easiest way is to check the DKIM-Signature header in a received email. Look for the s= tag, which contains the selector. You can also use the DKIM Finder tool that tests common selectors, or check your email provider's documentation.