What is a DKIM Selector & How Does it Work? | EasyDMARC

What is a DKIM Selector and How Does it Work?

6 Min Read
Dark-blue background

DKIM (DomainKeys Identified Mail) is an email authentication method that helps verify that an email wasn’t altered during transmission. It works by adding a digital signature to email headers using cryptographic techniques – the sending server signs outgoing messages with a private key, while receiving servers verify these signatures using a public key published in the sender’s DNS records.

DKIM serves as a critical component of DMARC. When combined with SPF, DKIM helps DMARC further authenticate emails, protecting domains from spoofing and phishing attacks. However, proper DKIM implementation can be challenging, especially for those who are just getting started with DMARC protocols.

That’s where DKIM selectors come in. They allow organizations to manage multiple authentication keys, simplifying deployment across different email services and departments while maintaining strong security practices.

Take a look at our DKIM Lookup tool to easily verify digital signatures and the integrity of incoming emails.

What is a DKIM Selector?

A DKIM selector is a string that identifies a specific DKIM public key for a domain. They allow organizations to use multiple DKIM Key records for a single domain, enabling different departments or services to send authenticated emails.

They work by linking each DKIM signature to its corresponding public key, helping receivers locate the correct key during authentication. For example, marketing emails might use the “mkt” selector while automated notifications use the “alert” selector, letting both departments send authenticated emails from the same domain.

A selector appears as the “s=” tag in the DKIM signature header field (e.g., “s=mkt”) in the email header, directing the receiving server to check the specific DNS record (like mkt._domainkey.example.com) for the matching public key.

The receiving server uses a selector to locate and retrieve the public key to verify that the specified outgoing message is authenticated and not altered along the way.

Can I Have Multiple DKIM Selectors?

Absolutely. As many organizations tend to use multiple Email Service Providers (ESPs) and third-party services for their email strategies, each service can have separate DKIM signatures identified with unique selectors so that the signing and verifying processes for one service doesn’t interfere with another.

Say your organization uses GSuite, Sendgrid, and MailChimp. Each server provides its own DKIM Signature, which can be differentiated with a selector.

For example:

Google’s default DKIM selector is:
google._domainkey.[yourdomain.com] containing DKIM Public Signature (where “Google” is the selector)

Sendgrid’s default DKIM selector is:

s1._domainkey.[yourdomain.com] containing DKIM Public Signature (where “s1” is the selector)

MailChimp’s default DKIM selector is:

k1._domainkey.[yourdomain.com] containing DKIM Public Signature

k2._domainkey.[yourdomain.com] containing DKIM Public Signature (where “k1” and “k2” are the selectors)

Why Do We Need Multiple DKIM Selectors, and How Do We Use Them?

Multiple selectors enable email stream segmentation, allowing different departments or services to use their own keys. For example, you could use one selector for internal emails and another for, say, marketing emails.

Having multiple selectors also enables third-party integrations, allowing each service provider to use a unique selector, which ensures that emails from different platforms authenticate correctly without error. This setup also aids in troubleshooting by allowing the user to quickly identify which specific key was used for each stream.

Overall, using multiple selectors means more flexibility, security, and control over email processes.

How to Use a DKIM Selector

  1. Generate a DKIM Key Pair: Create a private and public key pair using our DKIM tool. The private key signs your emails, while the public key is published in your DNS records for verification.
  2. Choose a DKIM Selector: Select a unique and descriptive name for your selector, such as “marketing2025” or “internal1.” This selector helps identify which key was used to sign an email.
  3. Publish the Public Key: Create a TXT record in your DNS with the format “selector._domainkey.yourdomain.com” and include your public key in the value field.
  4. Configure Your Email Server: Set up your email server to use the chosen selector for signing emails.

Who Provides the DKIM Selector?

It mainly depends on the source. If you’re using ESPs and third-party services, they usually have official documentation on how to implement a DKIM Signature. For some sources, it is possible to pick a custom “selector”, while with others, default and in-built selectors are used. Some sources, like Office365 and MailChimp, follow DKIM security best practices, requiring organizations to publish multiple selectors and DKIM records to support automated DKIM key rotation, achieved with CNAME records.

At EasyDMARC, we provide more than 1,000 identified email vendors and configuration guides for both SPF and DKIM. With our DKIM lookup tool and DKIM record generator, getting started is easy, accurate, and secure.

How Can I Find My DKIM Selector?

The simplest way to find your DKIM selector is to send an email to yourself and look at the email headers.

  1. In Gmail, click ‘Show original’
  1. Search for ‘DKIM-Signature’ to find the DKIM Signature applied to the email

There will be cases where you may find multiple DKIM Signatures applied to your message. In this case, make sure you find the one that contains your domain name, applied in (d=yourdomain.com) tag. So if you don’t find any DKIM-Signature header, or you don’t find any DKIM-Signature that matches your domain name, additional steps need to be taken from your ESP side with DKIM configuration and implementation steps. You can read our article on DMARC Alignment on our website.

  1. Without inspecting email headers, and if properly authenticated, you will easily find your DKIM Signature selectors in your EasyDMARC dashboard.

Implement DKIM, Protect Your Email

Inspecting and verifying your DKIM signature is essential for debugging DKIM issues. Properly configured DKIM is critical for your DMARC enforcement journey, as improper setup can lead to rejected emails, increased spam filtering, damaged sender reputation, and vulnerability to spoofing attacks.

DKIM selectors are key for managing multiple authentication keys across different email services, providing necessary flexibility while adding configuration complexity. The interplay between DKIM, SPF, and DMARC creates robust protection, but requires technical expertise to implement correctly.

EasyDMARC simplifies this process with specialized tools including our DKIM Lookup for configuration analysis and DKIM Validator for pre-deployment testing. Our platform streamlines DMARC implementation with guided setup, automated policy recommendations, and intuitive reporting dashboards that transform complex authentication data into actionable insights, helping organizations of all sizes secure their email communications effectively.

Contact Us
Comments
guest
0 Comments
Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us

In this article
Share article:

Domain Scanner

Check phishing vulnerabilities and possible issues with DMARC, SPF,DKIM, and BIMI records

More In DKIM
What is DKIM and How Does it Work?
7 Min Read
Get Your Emails Delivered In 2024
An Easy Guide To The New Google and Yahoo Requirements
Download Ebook
New Ebook