DKIM Selector

What is a DKIM Selector?

A DKIM selector is a unique identifier that tells receiving mail servers where to find the public key needed to verify a message’s DomainKeys Identified Mail (DKIM) signature.

It’s part of the DKIM-Signature header added to an outgoing email. This header includes several parameters, one of which (s=) specifies the selector. The receiving server then uses this selector, together with the sender’s domain, to look up the corresponding public key in DNS.

Example DKIM-Signature snippet:

Here, “mail2025” is the selector. The receiving mail server queries DNS for the TXT record at:

to retrieve the public key for verification.

How a DKIM Selector Works

Each DKIM selector points to a specific public key stored as a TXT record in DNS. This allows organizations to:

• Use multiple DKIM keys for different sending services or subdomains.
• Rotate keys periodically without interrupting mail flow.
• Manage and revoke keys easily by updating or removing specific DNS entries.

When a message arrives, the recipient server:

1. Reads the selector (s=) and domain (d=) from the DKIM-Signature header.
2. Queries DNS for selector._domainkey.domain.
3. Retrieves the public key and uses it to verify the message hash.

If the signature is valid, it proves that the message content hasn’t been altered and that it was authorized by the sending domain.

Why DKIM Selectors Are Important for Secure Emailing

Selectors make DKIM flexible and secure. Without them, every system using DKIM would need to share the same key pair, creating both operational and security risks.

For example, a company might use:

• marketing._domainkey.example.com for newsletters.
• billing._domainkey.example.com for invoices.
• app._domainkey.example.com for transactional emails.

Each key can be managed, rotated, or revoked independently. This separation simplifies maintenance, supports third-party senders, and ensures strong authentication practices.

DKIM Selectors and DMARCeye

DMARCeye helps identify which DKIM selectors are in use across your domain and whether they’re working as expected. In your DMARC reports, selectors appear as part of the authentication results. DMARCeye organizes and visualizes this data so you can see which keys are active, which services use them, and where alignment issues occur.

By monitoring selectors, DMARCeye makes it easier to detect outdated keys or unapproved senders using your domain name, reducing your exposure to spoofing or configuration errors.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.