Page contents
A DKIM selector helps receiving servers locate the correct public key to verify your email’s signature. With Sendmarc, you can generate, manage, and verify DKIM selectors, supporting safe key rotation, easier troubleshooting, and trusted email delivery.
Manage DKIM selectors confidently and protect your domain.
DomainKeys Identified Mail (DKIM) is an authentication protocol that adds a digital cryptographic signature to outgoing email. This allows receiving servers to verify that the message wasn’t altered in transit.
The signature is created using a private key securely stored in the sender’s email server. The matching public key is published in the sender’s DNS.
A DKIM selector is a text string included in the DKIM-Signature header field of an email. It helps the receiving server find the correct public key in the DNS to verify the email’s signature.
Selectors allow multiple DKIM keys to exist under the same domain. This is especially useful for companies that:
When an email is sent, the sending server provides the selector and uses the related private key to create a digital signature. The selector is added to the email’s DKIM-Signature header field using the s=
tag.
The receiving server then performs a DKIM selector lookup, querying the DNS for the public key linked to that selector.
DKIM selectors support:
Organizations can assign different keys to departments, services, or third-party senders using unique selectors.
Domains can rotate DKIM keys securely by publishing new keys under new selectors and updating signing configurations without disrupting email flow.
Using multiple selectors limits the risk of a compromised key and offers better control over which servers are authorized to send email.
Since each selector maps to a specific key, email issues can be diagnosed more easily by identifying which selector was used.
A DKIM selector is typically a short, descriptive string such as selector1
, s1
, or something more specific like marketing2025
. The selector is combined with your business’s domain name to form a DNS TXT record.
For example, if your domain is example.com and your selector is s1
, the DNS TXT record name would be s1._domainkey.example.com.
This TXT record stores the public key used to verify the DKIM signature. A standard DKIM DNS record might look like:
Host | Type | Value |
---|---|---|
selector._domainkey.yourdomain.com | TXT | v=DKIM1; k=rsa; p=[YourPublicKeyHere] |
v=DKIM1
specifies the DKIM versionk=rsa
indicates the key typep=[YourPublicKeyHere]
contains the public keyDomains can also use multiple selectors, for example:
selector1._domainkey.example.com
selector2._domainkey.example.com
Each selector points to a separate public key. These are referenced by the s=
tag in the DKIM-Signature header field of your business’s outgoing email.
Setting up a DKIM selector requires a few key steps:
Use your company’s email provider or a trusted third-party service to create a private and public key pair. The private key remains on your organization’s server to sign emails. The public key should be added to the DNS.
Pick a unique identifier for the key pair, such as default
, s1
, or a date-based name like sales2025
.
Create a TXT record and include the public key in the value field.
Set up your business’s sending infrastructure to use the private key and connected selector.
Use a DKIM validator tool to confirm that the selector is working as expected.
Tip: Most major platforms offer built-in tools and step-by-step guides to help you generate keys and configure DKIM selectors correctly.
Want to simplify the process? Book a demo or start a free trial with us.
To verify your company’s selector, try one of the following methods:
Open the header of an email sent from the domain. The selector appears as the s=
value.
Example DKIM-Signature:
v=1;
a=rsa-sha256;
c=relaxed/relaxed;
s=s1;
d=example.com;
t=1751035051;
h=From:Reply-To:To:Subject:Message-ID:In-Reply-To:References:Content-Type:MIME-Version:Date;
bh=aunFLksAAcTKS9q7A8lBniJx6lzZjNH9ytQMpJy682k=;
b=qPHXJYl1cJPlgdTSK/OMjO3MHHNG6Ste+j5LWEKiZwxKx...;
Enter the domain and selector into an online DKIM lookup tool to fetch the related public key record.
Effective selector management includes:
d=
tag (signing domain) and the ‘From’ address to maintain trust and prevent spoofingAdopting these practices strengthens your organization’s email reputation, minimizes spoofing risk, and enhances deliverability.
Protecting your business’s email environment is critical as cyberthreats increase in frequency and sophistication. Sendmarc helps secure your company’s domain through:
Book a demo or sign up now to see how Sendmarc can protect your organization’s email infrastructure and boost domain trust.
A DKIM selector is a text string included in the DKIM-Signature field of an email header. The DKIM selector identifies which public/private key pair was used to sign the email, allowing the receiving email server to locate the correct public key in the domain’s DNS to verify the message.
s=
tag in the DKIM-Signature field. This selector indicates which public key the receiving server should use to verify the authenticity of the email. s1
, default
, or a descriptive name like marketing2025
. In the DNS, these appear in a specific format. For example, s1._domainkey.example.com
is a valid DKIM record. Yes. A DKIM selector is required to enable DKIM authentication. It is especially important if your business plans to use multiple keys or rotate keys regularly to maintain security.
To add a DKIM selector, first generate a public/private key pair. Then choose a unique selector name and publish the public key in the DNS. Finally, configure your company’s email server to use the linked private key and selector.
Your organization can have multiple DKIM selectors. There is no hard limit, and using multiple selectors allows your business to assign different keys to separate email streams, departments, or third-party providers. Managing them effectively is essential for both security and ease of troubleshooting.
To find a DKIM selector, check the DKIM-Signature field in the header of an email sent from your company’s domain. The selector is the value of the s=
tag. To verify a DKIM selector, use a DKIM lookup tool.