What is a DKIM selector and how does it work?
DKIM is an email authentication method that organizations use to protect their email. Find more information about DKIM on our website. Let’s find out what is a DKIM selector in our article.
What is a DKIM selector?
To support multiple DKIM Key records for a single domain, the DKIM standard introduced the notion of “selector”, an arbitrary string that helps with the DKIM Public Key identification process. It is specified as “s=” tag in the DKIM-Signature header field which can be found in the technical email header information.
The receiving server uses a selector to locate and retrieve the public key to verify that the specified outgoing message is authenticated and not altered along the way.
Can I have multiple DKIM selectors?
Absolutely. As many organizations tend to use multiple ESPs and Third-Party services for their various email strategies (Marketing, Transactional, etc.), each service can have their own, separate DKIM Signatures identified with their unique selectors so that the signing/verifying processes with one service doesn’t interfere with the other.
Let’s suppose your organization uses GSuite, Sendgrid, and MailChimp all together. Each server provides its own DKIM Signature which can be differentiated with a selector.
Google’s default DKIM selector is:
google._domainkey.[yourdomain.com] containing DKIM Public Signature (where “google” is the selector)
Sendgrid’s default DKIM selector is:
s1._domainkey.[yourdomain.com] containing DKIM Public Signature (where “s1” is the selector)
MailChimp’s default DKIM selector is:
k1._domainkey.[yourdomain.com] containing DKIM Public Signature
k2._domainkey.[yourdomain.com] containing DKIM Public Signature (where “k1” and “k2” are the selectors)
Who provides the DKIM selector?
It mainly depends on the source. If you’re using ESPs and Third-Party services, they usually have official documentation that provides a step-by-step procedure to implement DKIM Signature. For some sources, it is possible to pick a custom “selector”, while with others, default and in-built selectors are used. Also, there are some sources (ex. Office365 & MailChimp) who follow DKIM security best practices requiring organizations to publish multiple selectors/DKIM Records to support automated DKIM Key rotation, achieved with CNAME records.
EasyDMARC provides more than 1,000 Identified Email Vendors, where the configuration steps of both SPF and DKIM are available from the sources’ official documentation.
Ex. of Google and AmazonSES Configuration steps directly from EasyDMARC portal
How can I find my DKIM selector?
The simplest way to find is to send an email to yourself and observe the Email headers.
- In Gmail, view ‘Show Original’
2. Search for ‘DKIM-Signature’ to find the DKIM Signature applied to the email
There will be cases that you may find multiple DKIM Signatures applied to your message. In this case, make sure you find the one which contains your domain name, applied in (d=yourdomain.com) tag.
So if you don’t find any DKIM-Signature header, or you don’t find any DKIM-Signature which matches your domain name, additional steps need to be taken from your ESP side with DKIM configuration and implementation steps. You can read our article on DMARC Alignment on our website.
3. Additionally, without inspecting Email Headers, and if properly authenticated, you will easily find your DKIM Signature selectors in your EasyDMARC dashboard.
Inspecting and verifying your DKIM Signature is one of the core steps in debugging DKIM issues. You can use our DKIM Lookup tool to further analyze and take the appropriate steps with the configuration.