DKIM Selector Mismatch
A DKIM selector mismatch happens when the selector used in the DKIM-Signature header does not match the selector that actually exists in DNS. In simple terms, the sender signs with one selector name, but DNS only publishes a DKIM key for another selector. When that happens, the receiver looks up the wrong hostname and cannot verify the signature.
One-Minute Fix
Make the selector in the DKIM-Signature header match the selector hostname that publishes the DKIM public key in DNS.
Header uses: s=selector1
DNS publishes: selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."These two values must refer to the same selector name.
Re-checkWrong vs correct setup
Wrong setup
Header uses: s=selector-old
DNS publishes: selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."This is broken because the sender signs with selector-old, but DNS only publishes a DKIM key for selector1. The receiver looks up selector-old._domainkey.example.com and does not find the expected key.
Correct setup
Header uses: s=selector1
DNS publishes: selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."This is the correct pattern. The selector used in the DKIM-Signature header matches the selector published in DNS, so the receiver can fetch the right public key and verify the signature.
Why this happens
Selector mismatches usually happen during DKIM key rotation, email provider migrations, or partial DNS updates. A new selector may be published in DNS while the sender still uses the old selector, or the sending platform may be updated before the DNS record is changed.
Why this is a problem
- DKIM verification fails even when the sender is legitimate.
- DMARC may also fail if DKIM was expected to provide aligned authentication.
- Receivers cannot retrieve the correct public key.
- Mailbox providers may reduce trust in the message.
How this affects deliverability
Mailbox providers want authentication to be stable and internally consistent. When the selector in the signature does not match the selector available in DNS, DKIM fails in a way that looks operationally broken rather than intentional.
Common causes
- A DKIM key was rotated but the sending platform still uses the old selector.
- DNS was updated with a new selector, but the mail provider still signs with the previous one.
- A migration between email platforms changed selector naming.
- Old selector records were removed too early.
What we checked
We compared the selector shown in the DKIM-Signature header with the selector hostname expected in DNS. If the selector in the header does not map to a valid published key, DKIM cannot be verified.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
What is a DKIM selector?
A DKIM selector is the label in the DKIM-Signature header that tells receivers which DNS record contains the public key for verification.
Can I have multiple DKIM selectors?
Yes. Multiple selectors are normal and are commonly used for key rotation or for separating different sending systems.
How do I fix a selector mismatch safely?
Check a real DKIM-Signature header, identify the selector being used, then confirm that the exact same selector exists in DNS under _domainkey.
Next steps
- Inspect a real DKIM-Signature header and note the selector value after s=.
- Check whether that exact selector exists in DNS under _domainkey.
- Update either the sender configuration or DNS so both use the same selector.
- Send a fresh test message after the change.
- Re-run the check to confirm DKIM verification now passes.
- Review the full troubleshooting guidance in the DKIM Hub.
- Explore sender authorization issues in the SPF Hub.
- Review alignment and policy issues in the DMARC Hub.