Skip to main content
DNSnexus
Free Developer Tools
DNS
Email
Network
Webmaster
Security
IP
Guides
Live Tools
60+
Categories
6
Result URLs
Shareable
Availability
24/7
DNSnexus
Free Developer Tools
Free DNS, email, network, and security diagnostics with crawlable tool pages and shareable result URLs.
Run DNS CheckBrowse All Tools
Popular Tools
DNS Propagation CheckerDNS LookupWHOIS LookupSPF Record CheckerDMARC CheckerSSL Certificate CheckerPort Scanner
Quick Path
Fix Email Deliverability
Quick Path
Troubleshoot DNS Changes
Quick Path
Validate SSL & Open Ports
DNS Tools
A Record LookupAAAA Record LookupCERT LookupCNAME LookupDNS CheckDNS LookupDNS Propagation CheckerDNSKEY LookupDS LookupIPSECKEY LookupLOC LookupNS LookupNSEC LookupNSEC3PARAM LookupReverse DNS LookupRRSIG LookupSOA LookupSRV LookupTXT LookupWHOIS Lookup
Email Tools
BIMI LookupBlacklist CheckDKIM CheckerDMARC CheckerDMARC Report AnalyzerEmail Deliverability ReportEmail Header AnalyzerEmail Health ReportGoogle/Yahoo Compliance CheckerMicrosoft Compliance CheckerMTA-STS LookupMX Record LookupSMTP TestSPF Record Checker
Network Tools
HTTP LookupHTTPS LookupMAC Address GeneratorMAC Address LookupOnline TraceroutePingSubnet Calculator
Webmaster Tools
HTTP Headers CheckSearch Presence CheckWebsite Link AnalyzerWebsite Operating System CheckWebsite Redirect CheckerWhat is My User Agent?
Security Tools
DKIM Record GeneratorDMARC GeneratorDomain DNS Security CheckEmail Security CheckerPort ScannerSPF GeneratorSSL Certificate CheckerWebsite Vulnerability Scanner
IP Tools
ARIN LookupASN LookupIP Blacklist CheckIP Geolocation LookupWhat Is My IP
Company
All Tools DirectoryGuides & PlaybooksAbout DNSnexusContactAPI DocsPrivacy PolicyTerms & ConditionsCookie Policy
© 2026 DNSnexus — DNS, Email, Network & Security Tool Platform
All ToolsAboutContactPrivacyTerms
Home › Guides › Email Authentication › DKIM Selector Explained: Find & Test Your Key
Email Authentication•9 min•Published 2026-03-01

DKIM Selector Explained: Find & Test Your Key

A DKIM selector is the piece of a DKIM signature that tells a receiving mail server exactly which DNS TXT record holds the public key needed to verify the message. Get the selector wrong — publish it at the wrong hostname, or let it fall out of sync with what your mail platform is signing with — and every outgoing message fails DKIM, which drags down DMARC alignment and deliverability with it.

Quick Answer
A DKIM selector is a short label (e.g. google, selector1, s1) that points to the DNS TXT record [selector]._domainkey.[yourdomain].com, where your DKIM public key is published. Find yours by checking the s= tag in a sent email's DKIM-Signature header, then verify it resolves with dig txt selector._domainkey.example.com.

What Is a DKIM Selector?

DKIM (DomainKeys Identified Mail) lets a domain sign outgoing mail with a cryptographic key. But a domain can — and usually does — sign mail through more than one system at once: Google Workspace, Microsoft 365, a marketing ESP, a transactional API. Each of those needs its own key pair, and receivers need a way to know which public key to fetch for a given message.

That's what the selector solves. Per RFC 6376 §3.1, "to support multiple concurrent public keys per signing domain, the key namespace is subdivided using 'selectors'." The selector is just a label — google, selector1, s1, mandrill — that gets combined with your domain to form the DNS hostname where the matching public key lives.

You'll see the selector appear in the s= tag of every signed message's DKIM-Signature header, alongside the domain (d= tag). A receiving server reads both, builds the lookup hostname, fetches the TXT record, and uses the public key inside to verify the signature.

Because selectors are just labels, they're also how key rotation works without downtime: publish a new key under a new selector, switch your signing system to use it, and retire the old selector once you're confident nothing is still referencing it.

How the Selector Maps to a DNS Record

The construction rule is fixed by the spec. Per RFC 6376 §3.6.2.1, all DKIM keys live under a subdomain named _domainkey. Given a d= tag of example.com and an s= tag of foo.bar, the DNS query is for foo.bar._domainkey.example.com.

Code
google._domainkey.example.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."

That record's v=DKIM1 tag identifies the DKIM version, k=rsa the key algorithm, and p= the base64-encoded public key. If the record at that exact hostname doesn't exist, verification fails immediately — there's no fallback lookup.

Selectors can also contain periods for administrative grouping. RFC 6376 §3.1 gives the example march2005.reykjavik, which resolves to march2005.reykjavik._domainkey.example.com — useful if you want selectors to encode a rotation date or region.

Common Selectors by Provider

Most mail platforms use a fixed, predictable selector (or pair of selectors) rather than letting you choose one freely.

ProviderDefault Selector(s)Record TypeNotes
Google WorkspacegoogleTXTgoogle2 selector used during advanced/rotated setups
Microsoft 365selector1, selector2CNAME → Microsoft-hosted TXTTwo selectors enable rotation with zero DNS changes
Amazon SES3 auto-generated selectors (random strings)CNAMEProvided at domain verification; all 3 CNAMEs required
Mailchimpk1, k2CNAMEk2 used after key rotation
SendGrids1, s2CNAMERotates automatically every 6 months by default
MandrillmandrillTXTSingle fixed selector
PostmarkpmCNAMESelector fixed per Postmark server

This table interprets as: if you're not sure which selector your provider uses, check this list first — it resolves most lookups without needing the email header at all.

How to Find Your DKIM Selector

Method 1 — Read a sent email's headers. Send yourself a test message from the platform in question, view its raw source ("Show original" in Gmail, "View message source" in Outlook), and find the DKIM-Signature header. The value after s= — up to the next semicolon — is the selector.

Code
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
 s=google; h=from:to:subject:date; bh=...; b=...

Here the selector is google. Run this through our Email Header Analyzer if you'd rather not parse raw headers by hand.

Method 2 — Check the provider's admin panel. Most ESPs display the exact selector and DNS records to publish under domain/sending authentication settings — this is the source of truth if you haven't sent a signed message yet.

Method 3 — Guess from the common-selector table above, then confirm with a direct DNS query (next section). Fast for known providers, but Method 1 is the only way to be certain if selectors have been customized or rotated.

How to Test a DKIM Selector

Once you have a candidate selector, confirm the DNS record actually resolves and contains a valid key.

Code
# Query the DKIM TXT record directly
dig TXT google._domainkey.example.com +short

# Alternative using nslookup
nslookup -type=TXT google._domainkey.example.com

A healthy response returns a single TXT string starting with v=DKIM1. No answer, an empty response, or a NXDOMAIN means the selector is wrong, unpublished, or hasn't propagated yet — check propagation status with the DNS Lookup tool, or run the domain and selector directly through our DKIM Checker for a pass/fail readout plus key-syntax validation.

Fixing "DKIM Selector Not Found"

This is the most common DKIM error, and it almost always traces back to one of four causes:

  1. The selector was never published. Some platforms generate the key pair but require a manual step to add the DNS record — check the provider's setup docs, not just the dashboard status.

  2. DNS hasn't propagated yet. New TXT/CNAME records can take minutes to hours to be visible everywhere. Re-check after the TTL window has passed.

  3. A typo in the record name. The hostname must be exact: selector._domainkey.domain.com, not selector.domainkey.domain.com or _domainkey.selector.domain.com. One missing underscore breaks the lookup silently.

  4. The record was deleted during a DNS migration. Changing nameservers or registrars without re-adding every DKIM CNAME/TXT is the single most common cause of DKIM breaking after a domain move.

Diagnose by pulling the exact selector from a real signed message (Method 1 above), then querying that exact hostname with dig. If the query returns nothing, the fix is publishing (or republishing) the record at your DNS provider — not changing the selector itself.

Selector Rotation Best Practices

RFC 6376 §3.1 is explicit about the risk here: "Reusing a selector with a new key... makes it impossible to tell the difference between a message that didn't verify because the key is no longer valid and a message that is actually forged. For this reason, Signers are ill-advised to reuse selectors for new keys."

In practice, that means:

  • Never overwrite an old selector's key in place. Publish the new key under a new selector name, switch signing over to it, then retire the old one only after mail flow using it has fully drained.

  • Use two-selector rotation where the provider supports it. Microsoft 365's selector1/selector2 pattern lets you flip signing between two pre-published records with zero DNS changes — the safest rotation model available.

  • Rotate on a schedule, not just after a suspected compromise. A yearly rotation cadence is a reasonable default for most domains; providers like SendGrid automate this every 6 months.

  • Verify before you cut over. Confirm the new selector's TXT record resolves cleanly before pointing your signing system at it — a broken new key fails identically to a missing one.

Stop checking manually. DNSnexus Monitor watches your DNS records, SSL expiry, email auth, and blacklist status — and alerts you before things break. Free tier covers one domain.

Key Takeaways

  • ✓ A DKIM selector is the s= tag value that maps to the DNS record selector._domainkey.yourdomain.com (RFC 6376 §3.6.2.1).
  • ✓ Google Workspace defaults to google; Microsoft 365 uses selector1/selector2; check your provider's docs if unsure.
  • ✓ Find your live selector from a sent email's DKIM-Signature header — it's the only fully reliable method.
  • ✓ "Selector not found" is almost always a missing, unpropagated, or mistyped DNS record — not a code problem.
  • ✓ Never reuse a selector for a new key; RFC 6376 explicitly warns this breaks forgery detection.

Frequently Asked Questions

Q: What is a DKIM selector in simple terms?

It's a label, like google or selector1, that tells receiving mail servers which DNS TXT record holds the public key needed to verify a message's DKIM signature.

Q: How do I find my domain's DKIM selector?

Send yourself a test email, open the raw headers, and read the s= value in the DKIM-Signature line — that's your active selector.

Q: Why does my DKIM check say "selector not found"?

The DNS record at selector._domainkey.yourdomain.com doesn't exist yet, hasn't propagated, or has a typo in the hostname — publish or fix it at your DNS provider.

Q: What DKIM selector does Google Workspace use?

google by default, with google2 available for rotated or advanced setups, per Google's DKIM authentication documentation.

Q: What DKIM selectors does Microsoft 365 use?

selector1 and selector2, published as CNAME records pointing to Microsoft-hosted TXT records — this pair enables key rotation without any DNS changes.

Q: Can I choose my own DKIM selector name?

Only if you're self-managing DKIM signing (e.g. via OpenDKIM). Most hosted providers (Google, Microsoft, SES, SendGrid) assign fixed selector names you can't rename.

Q: Is it safe to reuse a DKIM selector after rotating keys?

No. RFC 6376 warns that reusing a selector for a new key makes it impossible to distinguish an expired-key failure from an actual forgery — always rotate to a new selector name.

Next Steps

Pull your domain's exact selector from a real signed email using the Email Header Analyzer, then confirm the DNS record resolves cleanly with the DKIM Checker or a direct DNS Lookup. For the full DKIM setup and key-rotation model beyond just selectors, read DKIM Explained. Since DKIM alignment feeds directly into DMARC, pair this with SPF Record Generator and DMARC Explained to close out full email authentication for your domain. If you're publishing the selector's TXT record on Cloudflare, see How to Add a TXT Record in Cloudflare for the exact dashboard steps.

Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.

On this page
  • What Is a DKIM Selector?
  • How the Selector Maps to a DNS Record
  • Common Selectors by Provider
  • How to Find Your DKIM Selector
  • How to Test a DKIM Selector
  • Fixing "DKIM Selector Not Found"
  • Selector Rotation Best Practices
  • Key Takeaways
  • Frequently Asked Questions
  • Next Steps
Related links
Dkim CheckerDns LookupEmail Header AnalyzerSpf CheckerDkim ExplainedSpf Record Generator Guide
Related Tools
MX Record Lookup→Blacklist Check→SMTP Test→SPF Record Checker→