How to Find Your DKIM Selector & Manage DKIM Keys

What does email authentication do? Yes it blocks spoofed messages, but it also plays a critical role in protecting brand reputation and ensuring legitimate emails actually reach the inbox. Among the core authentication protocols, DKIM stands out by adding a cryptographic signature to every message, proving it hasn’t been altered in transit.

At the center of DKIM is the DKIM selector. While often overlooked, the selector determines which public key receiving servers should use to verify your email’s signature, making it essential for successful DKIM authentication across different mail streams and providers.

In this blog, we’ll break down everything you need to know about DKIM selectors and troubleshoot common errors that can break authentication and impact deliverability.

What is a DKIM Selector?

A DKIM selector is a unique identifier used in DKIM authentication that tells receiving mail servers which public key to retrieve from DNS to verify an email’s DKIM signature. It allows a domain to use multiple DKIM keys at the same time, making key rotation and management easier without interrupting email delivery.

Example:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1; h=from:to:subject:date; bh=abc123…; b=xyz456…

Here s= stands for selector. In this example, s=selector1 tells the server to query:
selector1._domainkey.example.com

How DKIM Authentication Works (Step-by-Step)

As explained above, DKIM works by adding a cryptographic signature to every outgoing email sent from your DKIM-enabled domain.

• Step 1: The sending mail server signs the outgoing email using a private cryptographic key. This signature is added to the email header, along with a DKIM selector that identifies which key was used.
• Step 2: The receiving mail server looks up the public key. It does this by querying DNS using the selector.
• Step 3: Once the public key is found, the receiving server uses it to verify the signature in the email header. If the signature matches, DKIM passes, confirming the message wasn’t modified in transit and was authorized by the sending domain.

However, note that DKIM works best in conjunction with SPF and DMARC, and cannot alone prevent spoofing and phishing attacks.

How to Find Your DKIM Selector?

Method A: Inspect Email Headers (Manual)

1) Send a test mail to your Gmail account
2) Click on the 3 dots next to the email in your Gmail inbox

3) Select “show original”

4) On the “Original Message” page navigate to the bottom of the page to the DKIM signature section and try to locate the “s=” tag, the value of this tag is your DKIM selector.

In the above example, s1 is my DKIM selector. This is one of the methods you can use to identify and locate yours.

Method B: Use Email Provider Settings

Step 1: Log in to your email service provider’s admin console.

Step 2: Navigate to the email authentication or DNS configuration section.
Step 3: Locate the DKIM settings for your domain.
Step 4: Identify the selector value listed with the DKIM TXT record.

Method C: Using DKIM Lookup/Checker Tools

Step 1: Open the PowerDMARC DKIM Checker tool

Step 2: Enter your domain name and keep the selector field at “auto”

Step 3: Hit lookup
Step 4: Let our tool automatically detect and display your DKIM selector

Method D: Using DMARC Monitoring Tools

DMARC reporting tools like PowerDMARC provide visibility into DKIM selectors actively used by sending sources.

Step 1: Enable DMARC aggregate reporting for your domain by signing up with PowerDMARC.
Step 2: Review authentication results for each sending source.
Step 3: Identify the DKIM selector values reported per source and IP.

How to Configure and Publish a DKIM Selector

Configuring a DKIM selector correctly is critical for email authentication, sender reputation, and long-term deliverability. A misconfigured selector can break DKIM entirely, even if the key itself is valid.

Required DNS Record Format and Syntax

A DKIM record is published as a TXT record in DNS using this structure: selector._domainkey.yourdomain.com

Example: s1._domainkey.example.com

The value typically includes:

• v=DKIM1 (protocol version)
• k=rsa (key type)
• p= (public key)

Example value: v=DKIM1; k=rsa; p=MIIBIjANBgkq…
Ensure there are no extra spaces, quotes, or line breaks added by the DNS provider.

Key Length Recommendations (2048-bit)

• 2048-bit DKIM keys are strongly recommended
• 1024-bit keys are deprecated and may fail authentication with major mailbox providers
• Longer keys improve cryptographic strength without impacting performance

Most modern email platforms default to 2048-bit keys. It is recommended to keep this enabled unless there’s a strong technical reason not to.

Publishing via DNS Provider Panel

1. Log in to your DNS hosting provider
2. Add a new TXT record
3. Set the host/name as the DKIM selector
4. Paste the DKIM public key in the value field
5. Save and wait for propagation
6. Check your DKIM configuration using our DKIM Checker tool

DKIM Selector Naming Conventions and Examples

Choosing the right selector name improves clarity, scalability, and long-term maintenance.

Common Selector Patterns

Frequently used formats include: s1, s2, selector1, and provider defaults like google, k1, smtp, mail. While these work just fine, they often lack context and can get confusing to track.

Best Practice: Descriptive Selector Names

Instead, use selectors that indicate service and time period, such as: google2025, sendgrid_q1, marketing_2024. These are much easier to remember and track, and provide exact context, leaving little room for guesswork while also being secure.

DKIM Selector Management

One of the most overlooked aspects of DKIM is selector management over time. Selectors should be treated as managed assets rather than one-time DNS entries that are forgotten after setup.
Maintaining documentation is a simple but powerful practice. A basic spreadsheet or internal log can track your selectors and rotation timelines efficiently. This prevents confusion when keys need to be rotated or when a sending service is retired.
Simply maintain a simple tracking system (CSV, spreadsheet, or internal log) with:

• Selector name
• Domain
• Sending service
• Key length
• Creation date
• Rotation schedule
• Owner/team

DKIM Selector Lifecycle

Every DKIM selector should follow a clear lifecycle. It begins with planning, where naming conventions and rotation timelines are defined.
A healthy lifecycle includes:

1. Plan: define naming and rotation strategy
2. Publish: add DNS record and validate
3. Rotate: introduce a new selector and key
4. Decommission: remove unused selectors safely

Best Practices for DKIM Selectors

To maintain DKIM selector health, here are a few best practices you can follow:

1. Make your selectors unique and difficult to guess
2. Rotate your DKIM keys as frequently as possible to avoid compromise
3. Use consistent naming conventions across all senders to make audits easier
4. Actively monitor your DKIM to ensure unused selectors are identified and retired on time

How PowerDMARC’s DKIM Analytics Tool Can Help

PowerDMARC’s Hosted DKIM Analytics closes this gap by giving organizations continuous insight into how DKIM is actually performing across domains, selectors, and sending sources.

• Per-Selector and Sending Service Monitoring: PowerDMARC breaks down DKIM performance at the selector and sending service level.
• Flexible Time Range Filtering: PowerDMARC allows you to analyze DKIM performance over flexible time ranges such as the last seven days, the previous month, or fully custom periods.
• At-a-Glance DKIM Statistics: For quick assessments, PowerDMARC provides a high-level DKIM overview that summarizes total selectors, active sending services, and the volume of DKIM-signed versus unsigned emails.
• Detailed Selector-Level Insights: For each selector, PowerDMARC surfaces key data points such as total email volume, DKIM pass rates, and the last time the selector was observed signing email.
• Exportable Reports for Audit and Collaboration: PowerDMARC allows you to export Hosted DKIM Analytics data in CSV format, making reporting simple and flexible.
• DKIM Key Health Overview: Key health insights include key length visibility, key rotation tracking, and key usage monitoring.

Common DKIM Selector Problems & Troubleshooting

Problem 1: Selector Not Found in DNS

Common causes: This issue can be caused by syntax errors, incorrect DNS record type, incomplete propagation, or wrong domain or subdomain usage.
Troubleshooting: Allow your DNS 24-48 hours of propagation time if you configured DKIM recently. If the issue persists, use a DKIM checker tool to check your record and fix errors found.

Problem 2: Multiple Selectors Causing Confusion

Common causes: Too many active selectors can complicate audits, and unused selectors may remain indefinitely. This is not a good practice. Moreover, poor documentation makes ownership unclear.
Troubleshooting: Remove unused selectors on a timely basis and keep updated documentations to make auditing and tracking accurate and effortless.

Problem 3: Selector Mismatch

Common causes: The DKIM header references a selector that doesn’t exist in DNS or a key was rotated, but the sending service wasn’t updated.
Troubleshooting: Always confirm alignment between DKIM signature (s= value) and your published DNS record.

Final Words

From this blog, we learned that DKIM selector plays a key role in DKIM authentication, and we can find it using multiple methods – both manual and automatic. However, if you require maximum control over your DKIM, you need more than this.

By combining performance analytics with key health intelligence, PowerDMARC turns DKIM from a static configuration into a continuously monitored security control. Teams gain the visibility needed to maintain deliverability, enforce best practices, and confidently manage DKIM across complex email ecosystems, without relying on manual checks or guesswork. Contact us to get started today!

Frequently Asked Questions

What happens if a DKIM selector is wrong?
If a DKIM selector is wrong, your emails may fail DKIM authentication, increasing spam filtering and triggering possible DMARC failures.
Can you have multiple DKIM selectors?
Yes. Multiple DKIM selectors are normal and often required for rotation or multiple senders.
How often should I rotate DKIM keys?
It is recommended to rotate your DKIM keys every 3–6 months. However, in case of a security incident, rotate your keys immediately to prevent further compromise.
What tools can automatically find DKIM selectors?
PowerDMARC’s email header analyzer and DKIM lookup tools can instantly extract the DKIM selector used in a message, without manual effort or technical expertise.

• About
• Latest Posts

Yunes Tarada

Domain & Email Security Expert at PowerDMARC

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

Latest posts by Yunes Tarada (see all)

• A Step-by-Step Guide to Setting Up SPF, DKIM, and DMARC for Wix - January 26, 2026
• How to Fix “Reverse DNS Does Not Match the SMTP Banner” Error - January 22, 2026
• What Is BIMI? Email Trust and Brand Identity - December 26, 2025