DKIM Selector Explained
A DKIM selector is the label used to tell receivers which DNS record contains the public key needed to verify a DKIM signature. It appears in the DKIM-Signature header after s= and maps to a hostname under _domainkey. Selectors matter because they let domains rotate keys, separate different sending systems, and update DKIM safely without interrupting live mail flow.
One-Minute Fix
Match the selector used in the DKIM-Signature header with a valid DKIM TXT record under the same selector name in DNS.
Header uses: s=selector1
DNS publishes: selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."If the mail header shows s=selector1, the receiver will look for the DKIM public key at selector1._domainkey.example.com.
Re-checkWrong vs correct setup
Wrong setup
Header uses: s=selector1
DNS publishes: selector2._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."This is broken because the selector used in the message does not match the selector published in DNS. The receiver looks in the wrong place and cannot verify the signature.
Correct setup
Header uses: s=selector1
DNS publishes: selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."This is the correct pattern. The selector in the header and the selector in DNS match, so the receiver can retrieve the right public key.
Why this matters
Selectors make DKIM operationally manageable. Instead of replacing a live key in place, a domain can publish a new selector, switch signing to the new one, test it, and later retire the old selector without breaking mail delivery.
Why selectors matter in practice
- They make DKIM key rotation safer.
- They allow multiple mail systems to use different keys.
- They reduce the need for risky in-place key replacement.
- They help large domains manage authentication more cleanly.
How this affects deliverability
Understanding selectors helps prevent operational mistakes that break DKIM. Mailbox providers care whether the selector implementation is stable, valid, and consistent.
Common causes of confusion
- Teams copy DKIM values without understanding what s= means.
- Key rotation happens without documenting old and new selectors.
- Several providers sign mail with different selectors.
- DNS and mail-platform ownership are split across different teams.
What we checked
We reviewed whether the selector used in DKIM aligns with a valid selector record in DNS and whether the basic selector logic appears operationally sound.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
Can I have more than one DKIM selector?
Yes. Multiple selectors are normal and often used for key rotation or for separate sending systems.
Does changing the selector break mail?
It can if the new selector is not published correctly in DNS before the sender starts using it.
Why not just keep one selector forever?
Because key rotation is a healthy security practice, and selectors make rotation possible without taking mail offline.
Next steps
- Inspect a real DKIM-Signature header and note the selector value.
- Confirm the selector exists under _domainkey in DNS.
- Document which platforms use which selectors.
- Use selectors deliberately during DKIM key rotation.
- Review related DKIM issues if validation still fails.
- Review the full troubleshooting guidance in the DKIM Hub.
- Explore sender authorization issues in the SPF Hub.
- Review alignment and policy issues in the DMARC Hub.