What are DKIM selectors used for?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
When a receiving mail server checks your DKIM signature, it needs to find the public key to verify it against. But a domain might have multiple DKIM keys, from different systems or different time periods. How does the receiving server know which key to use?
That's what selectors are for. A DKIM selector is a short label that appears in the DKIM-Signature header as the s= tag. It tells the receiving server exactly where in DNS to look for the matching public key.
The DNS lookup takes the form: {selector}._domainkey.{domain}. So if your selector is google and your domain is yourbrand.com, the receiver looks up: google._domainkey.yourbrand.com.
You'd use multiple selectors when different systems need to sign on your behalf. Your ESP might use one selector, your transactional email provider another, your Google Workspace a third. Each has its own key pair. If one key is ever compromised, you rotate just that selector without affecting the others.
Selectors also make key rotation cleaner. Instead of replacing a key in-place and creating a window where some mail uses the old key and some uses the new, you can stand up a new selector, switch your signing to it, and then retire the old one after the TTL expires.
You can see which selectors are active on your domain (and verify they're returning valid public keys) with our free Review My Emails DKIM Record Lookup. Just enter your domain and selector name and we'll show you the key length and configuration.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.