DKIM Selector Not Found
A DKIM selector not found error means the selector referenced in the DKIM-Signature header does not resolve to a usable DKIM TXT record in DNS. The selector is the label after s= in the DKIM header, and it tells the receiver where to find the public key. If that selector record is missing, wrong, or published under the wrong hostname, the receiver cannot verify the signature.
One-Minute Fix
Make sure the exact selector used in the DKIM-Signature header exists in DNS under the matching _domainkey hostname.
Header uses: s=selector1
DNS publishes: selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."If the email header uses s=selector1, the DNS record must exist at selector1._domainkey.example.com.
Re-checkWrong vs correct setup
Wrong setup
Header uses: s=selector1
DNS publishes: selector2._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."This is broken because the sender uses selector1, but DNS only contains a DKIM key for selector2. The receiver queries selector1._domainkey.example.com and does not find the expected key.
Correct setup
Header uses: s=selector1
DNS publishes: selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."This is the correct pattern. The selector used in the DKIM-Signature header matches the selector published in DNS, so the receiver can fetch the right public key.
Why this happens
This problem usually appears when a mail provider changed selectors, a DNS record was added under the wrong hostname, an old selector was removed too early, or a team copied only part of the DKIM setup instructions.
Why this is a problem
- DKIM verification fails.
- DMARC may fail if DKIM was expected to provide aligned authentication.
- Receivers cannot retrieve the correct public key.
- Inbox placement becomes less predictable.
How this affects deliverability
When the selector cannot be found, mailbox providers see a broken authentication path. Even if the sender itself is legitimate, the missing selector makes the domain look operationally unreliable and can contribute to spam placement.
Common causes
- A DKIM key was rotated but DNS still publishes the old selector.
- The selector hostname was entered incorrectly in DNS.
- A migration between providers changed selector naming.
- An old selector record was deleted before all senders stopped using it.
What we checked
We compared the selector in the DKIM-Signature header with the selector records available under _domainkey in DNS. If the expected selector record is missing, DKIM cannot be verified.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
What is a DKIM selector?
A DKIM selector is the label in the DKIM-Signature header that tells receivers which DNS record contains the public key.
Can I have multiple DKIM selectors?
Yes. Multiple selectors are normal and are often used for key rotation or for separate mail systems.
How do I fix a selector-not-found error safely?
Inspect a real DKIM-Signature header, note the selector after s=, and confirm that the exact same selector exists in DNS under _domainkey.
Next steps
- Inspect a real DKIM-Signature header and note the selector value.
- Check whether that exact selector exists in DNS under _domainkey.
- Publish the missing selector record or update the sender configuration.
- Wait for DNS propagation.
- Send a new test message and verify DKIM now passes.
- Review the full troubleshooting guidance in the DKIM Hub.
- Explore sender authorization issues in the SPF Hub.
- Review alignment and policy issues in the DMARC Hub.