Skip to main content
DKIM Selectors

DKIM Selectors

DeploymentTechnical Guidance

This article takes a look at DKIM Selectors in particular. We explain:

  • What DKIM Selectors are
  • Where to find your own DKIM Selector

How does DKIM work?

To use DKIM, email servers are configured to attach special DKIM signatures to the emails they send. These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination. These signatures act like a watermark for email so that email receivers can verify that the email actually came from the domain it says it does and that it hasn’t been tampered with.

Each signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of keys. The originating email server has what is called the “private key,” which can be verified by the receiving mail server or ISP with the other half of the keypair, which is called the “public key.”

What are DKIM Selectors?

The DKIM selector is specified in the DKIM-Signature header and indicates where the public key portion of the DKIM keypair exists in DNS. The receiving server uses the DKIM selector to locate and retrieve the public key to verify that the email message is authentic and unaltered.

How can I find my DKIM Selector?

A DKIM selector is specified when the private/public key pair is created when DKIM is set up for the email domain (or email sender), and it can be any arbitrary string of text.

The DKIM selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent. The easiest way to discover the selector for your domain is to send an email to yourself. 

  1. When you open the email, view the “original message” (some email clients might call this view “raw” or “full headers”) of the email. Your goal is  to view the header information, which includes DKIM authentication results.
  2. Search the headers for “DKIM-signature” to find the DKIM signature applied to the message. If there are multiple DKIM-Signature headers, find the one which contains your domain. This DKIM signature contains an attribute “s=” which is the selector used. In the DKIM selector example below we can see the DKIM selector is s2048gl.

If you cannot find a DKIM-Signature header (or not one which matches your domain), you will need to work to introduce that feature. Contact the person responsible for sending your email to begin.

To inspect and verify your DKIM records, head over to our free DKIM inspector. If you still have questions about DKIM selectors and how to configure them, let us know and we’ll give you a hand.

DKIM stands for DomainKeys Identified Mail and is a free email authentication technology that has been around since 2005. It is a method of adding a tamper-proof domain seal to a piece of email and, along with SPF, is a foundation for DMARC. You can find more information about DKIM in general here.

We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.

Want to continue the conversation? Head over to the dmarcian Forum.