What Is a DKIM Selector?
DKIM (DomainKeys Identified Mail) lets a domain sign outgoing mail with a cryptographic key. But a domain can — and usually does — sign mail through more than one system at once: Google Workspace, Microsoft 365, a marketing ESP, a transactional API. Each of those needs its own key pair, and receivers need a way to know which public key to fetch for a given message.
That's what the selector solves. Per RFC 6376 §3.1, "to support multiple concurrent public keys per signing domain, the key namespace is subdivided using 'selectors'." The selector is just a label — google, selector1, s1, mandrill — that gets combined with your domain to form the DNS hostname where the matching public key lives.
You'll see the selector appear in the s= tag of every signed message's DKIM-Signature header, alongside the domain (d= tag). A receiving server reads both, builds the lookup hostname, fetches the TXT record, and uses the public key inside to verify the signature.
Because selectors are just labels, they're also how key rotation works without downtime: publish a new key under a new selector, switch your signing system to use it, and retire the old selector once you're confident nothing is still referencing it.
How the Selector Maps to a DNS Record
The construction rule is fixed by the spec. Per RFC 6376 §3.6.2.1, all DKIM keys live under a subdomain named _domainkey. Given a d= tag of example.com and an s= tag of foo.bar, the DNS query is for foo.bar._domainkey.example.com.
google._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."
That record's v=DKIM1 tag identifies the DKIM version, k=rsa the key algorithm, and p= the base64-encoded public key. If the record at that exact hostname doesn't exist, verification fails immediately — there's no fallback lookup.
Selectors can also contain periods for administrative grouping. RFC 6376 §3.1 gives the example march2005.reykjavik, which resolves to march2005.reykjavik._domainkey.example.com — useful if you want selectors to encode a rotation date or region.
Common Selectors by Provider
Most mail platforms use a fixed, predictable selector (or pair of selectors) rather than letting you choose one freely.
| Provider | Default Selector(s) | Record Type | Notes |
|---|---|---|---|
| Google Workspace | google | TXT | google2 selector used during advanced/rotated setups |
| Microsoft 365 | selector1, selector2 | CNAME → Microsoft-hosted TXT | Two selectors enable rotation with zero DNS changes |
| Amazon SES | 3 auto-generated selectors (random strings) | CNAME | Provided at domain verification; all 3 CNAMEs required |
| Mailchimp | k1, k2 | CNAME | k2 used after key rotation |
| SendGrid | s1, s2 | CNAME | Rotates automatically every 6 months by default |
| Mandrill | mandrill | TXT | Single fixed selector |
| Postmark | pm | CNAME | Selector fixed per Postmark server |
This table interprets as: if you're not sure which selector your provider uses, check this list first — it resolves most lookups without needing the email header at all.
How to Find Your DKIM Selector
Method 1 — Read a sent email's headers. Send yourself a test message from the platform in question, view its raw source ("Show original" in Gmail, "View message source" in Outlook), and find the DKIM-Signature header. The value after s= — up to the next semicolon — is the selector.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
s=google; h=from:to:subject:date; bh=...; b=...
Here the selector is google. Run this through our Email Header Analyzer if you'd rather not parse raw headers by hand.
Method 2 — Check the provider's admin panel. Most ESPs display the exact selector and DNS records to publish under domain/sending authentication settings — this is the source of truth if you haven't sent a signed message yet.
Method 3 — Guess from the common-selector table above, then confirm with a direct DNS query (next section). Fast for known providers, but Method 1 is the only way to be certain if selectors have been customized or rotated.
How to Test a DKIM Selector
Once you have a candidate selector, confirm the DNS record actually resolves and contains a valid key.
# Query the DKIM TXT record directly
dig TXT google._domainkey.example.com +short
# Alternative using nslookup
nslookup -type=TXT google._domainkey.example.com
A healthy response returns a single TXT string starting with v=DKIM1. No answer, an empty response, or a NXDOMAIN means the selector is wrong, unpublished, or hasn't propagated yet — check propagation status with the DNS Lookup tool, or run the domain and selector directly through our DKIM Checker for a pass/fail readout plus key-syntax validation.
Fixing "DKIM Selector Not Found"
This is the most common DKIM error, and it almost always traces back to one of four causes:
-
The selector was never published. Some platforms generate the key pair but require a manual step to add the DNS record — check the provider's setup docs, not just the dashboard status.
-
DNS hasn't propagated yet. New TXT/CNAME records can take minutes to hours to be visible everywhere. Re-check after the TTL window has passed.
-
A typo in the record name. The hostname must be exact:
selector._domainkey.domain.com, notselector.domainkey.domain.comor_domainkey.selector.domain.com. One missing underscore breaks the lookup silently. -
The record was deleted during a DNS migration. Changing nameservers or registrars without re-adding every DKIM CNAME/TXT is the single most common cause of DKIM breaking after a domain move.
Diagnose by pulling the exact selector from a real signed message (Method 1 above), then querying that exact hostname with dig. If the query returns nothing, the fix is publishing (or republishing) the record at your DNS provider — not changing the selector itself.
Selector Rotation Best Practices
RFC 6376 §3.1 is explicit about the risk here: "Reusing a selector with a new key... makes it impossible to tell the difference between a message that didn't verify because the key is no longer valid and a message that is actually forged. For this reason, Signers are ill-advised to reuse selectors for new keys."
In practice, that means:
-
Never overwrite an old selector's key in place. Publish the new key under a new selector name, switch signing over to it, then retire the old one only after mail flow using it has fully drained.
-
Use two-selector rotation where the provider supports it. Microsoft 365's
selector1/selector2pattern lets you flip signing between two pre-published records with zero DNS changes — the safest rotation model available. -
Rotate on a schedule, not just after a suspected compromise. A yearly rotation cadence is a reasonable default for most domains; providers like SendGrid automate this every 6 months.
-
Verify before you cut over. Confirm the new selector's TXT record resolves cleanly before pointing your signing system at it — a broken new key fails identically to a missing one.
Stop checking manually. DNSnexus Monitor watches your DNS records, SSL expiry, email auth, and blacklist status — and alerts you before things break. Free tier covers one domain.
Key Takeaways
- ✓ A DKIM selector is the
s=tag value that maps to the DNS recordselector._domainkey.yourdomain.com(RFC 6376 §3.6.2.1). - ✓ Google Workspace defaults to
google; Microsoft 365 usesselector1/selector2; check your provider's docs if unsure. - ✓ Find your live selector from a sent email's
DKIM-Signatureheader — it's the only fully reliable method. - ✓ "Selector not found" is almost always a missing, unpropagated, or mistyped DNS record — not a code problem.
- ✓ Never reuse a selector for a new key; RFC 6376 explicitly warns this breaks forgery detection.
Frequently Asked Questions
Q: What is a DKIM selector in simple terms?
It's a label, like google or selector1, that tells receiving mail servers which DNS TXT record holds the public key needed to verify a message's DKIM signature.
Q: How do I find my domain's DKIM selector?
Send yourself a test email, open the raw headers, and read the s= value in the DKIM-Signature line — that's your active selector.
Q: Why does my DKIM check say "selector not found"?
The DNS record at selector._domainkey.yourdomain.com doesn't exist yet, hasn't propagated, or has a typo in the hostname — publish or fix it at your DNS provider.
Q: What DKIM selector does Google Workspace use?
google by default, with google2 available for rotated or advanced setups, per Google's DKIM authentication documentation.
Q: What DKIM selectors does Microsoft 365 use?
selector1 and selector2, published as CNAME records pointing to Microsoft-hosted TXT records — this pair enables key rotation without any DNS changes.
Q: Can I choose my own DKIM selector name?
Only if you're self-managing DKIM signing (e.g. via OpenDKIM). Most hosted providers (Google, Microsoft, SES, SendGrid) assign fixed selector names you can't rename.
Q: Is it safe to reuse a DKIM selector after rotating keys?
No. RFC 6376 warns that reusing a selector for a new key makes it impossible to distinguish an expired-key failure from an actual forgery — always rotate to a new selector name.
Next Steps
Pull your domain's exact selector from a real signed email using the Email Header Analyzer, then confirm the DNS record resolves cleanly with the DKIM Checker or a direct DNS Lookup. For the full DKIM setup and key-rotation model beyond just selectors, read DKIM Explained. Since DKIM alignment feeds directly into DMARC, pair this with SPF Record Generator and DMARC Explained to close out full email authentication for your domain. If you're publishing the selector's TXT record on Cloudflare, see How to Add a TXT Record in Cloudflare for the exact dashboard steps.