DKIM Selector: What It Is and How to Manage Multiple Selectors

What Is a DKIM Selector?

A DKIM selector is a name that points to a specific DKIM public key in your DNS. It's part of the DNS lookup path:

selector._domainkey.yourdomain.com

Example selectors:

• google._domainkey.yourdomain.com
• s1._domainkey.yourdomain.com
• k1._domainkey.yourdomain.com
• mta1._domainkey.yourdomain.com

When an email arrives with a DKIM signature, the receiving server reads the selector from the signature header and uses it to find the public key.

Where the Selector Appears

In Email Headers

The DKIM-Signature header includes the selector:

DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=google;
    c=relaxed/relaxed; q=dns/txt; h=from:to:subject:date;
    b=abc123...

• d=yourdomain.com — The signing domain
• s=google — The selector

The receiver looks up google._domainkey.yourdomain.com to find the public key.

In DNS

google._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0..."

Common Selector Names by ESP

ESP	Typical Selector
Google Workspace	google
Microsoft 365	selector1, selector2
SendGrid	s1, s2, em1234
Mailgun	mx, smtp, k1
Postmark	20240101 (date-based)
Mailchimp	k1, k2, k3
Klaviyo	kl, kl2
HubSpot	hs1, hs2

These are typical defaults—some ESPs allow customization.

Why Multiple Selectors?

Reason 1: Multiple ESPs

Each email service needs its own DKIM key. Different selectors keep them separate:

google._domainkey → Google Workspace email
s1._domainkey → SendGrid transactional
kl._domainkey → Klaviyo marketing

All coexist without conflict. Each ESP signs with its key; receivers look up the right one.

Reason 2: Key Rotation

When rotating DKIM keys, you need both old and new to work during transition:

# Old key (still valid)
k1._domainkey → old public key

# New key (just deployed)
k2._domainkey → new public key

ESP switches to signing with k2. Old emails signed with k1 still verify until delivered. After transition, remove k1.

Reason 3: Environment Separation

Some organizations use different selectors for:

• Production vs staging
• Different sending applications
• Regional sending infrastructure

Practitioner note: Most organizations only need to think about selectors when they're asked to add DNS records for a new ESP. The ESP handles selector management—you just add the records they provide.

Finding Your Current Selectors

From Email Headers

1. Send a test email from each ESP
2. Open in Gmail → Three dots → Show original
3. Find DKIM-Signature header
4. Look for s= value

From ESP Dashboard

Most ESPs show selector in their domain authentication section:

• SendGrid: Settings → Sender Authentication → Your domain
• Google: Admin → Gmail → Authenticate email
• Mailgun: Sending → Domains → DNS Records

From DNS

List all _domainkey records:

# Check common selectors
dig TXT google._domainkey.yourdomain.com +short
dig TXT s1._domainkey.yourdomain.com +short
dig TXT selector1._domainkey.yourdomain.com +short

Managing Multiple Selectors

Adding a New ESP

1. Get selector and key from new ESP
2. Add DNS record at selector._domainkey.yourdomain.com
3. Wait for propagation
4. Enable DKIM in ESP
5. Verify with test email

No conflict with existing selectors—each uses its own name.

Selector Naming Best Practices

ESP-provided selectors: Use what they give you. Easier support, no confusion.

Custom selectors (if allowed):

• Use descriptive names: sendgrid, mailchimp, hubspot
• Include date for rotation: google202403, google202409
• Keep it short—DNS has limits

Key Rotation with Selectors

1. Generate new key with new selector:

   • Old: k1._domainkey → active
   • New: k2._domainkey → add to DNS

2. Publish new key to DNS

3. Switch ESP to new selector:

   • ESP now signs with k2

4. Transition period:

   • Emails signed with k1 still verifying
   • New emails signed with k2

5. Remove old selector (optional):

   • After 7+ days, all k1-signed mail delivered
   • Can remove k1._domainkey from DNS

Practitioner note: I recommend keeping old selectors in DNS for at least a week after rotation. Some mail gets delayed, cached, or retried. Removing too quickly causes verification failures for legitimate mail still in transit.

Troubleshooting Selector Issues

"DKIM key not found"

Check the exact selector name. Selectors are case-sensitive in some implementations.

# Verify selector exists
dig TXT s1._domainkey.yourdomain.com +short

"Selector mismatch"

The selector in the email header doesn't match any DNS record. Either:

• ESP is signing with a selector you haven't added to DNS
• Typo in DNS record name
• DNS propagation not complete

"Multiple selectors, one failing"

Each ESP is independent. If one fails:

1. Check that specific ESP's selector in DNS
2. Verify that ESP is configured correctly
3. Test only that ESP's sending

Other selectors/ESPs aren't affected.

Selector Security

The selector name itself isn't secret—it's visible in every email header. Security comes from:

• The cryptographic key (not the selector name)
• DNS integrity (DNSSEC recommended)
• Key length (2048-bit minimum)

Custom selector names provide no security benefit over default names.

For the complete setup process, see the DKIM setup guide. For key rotation details, see DKIM key rotation. If you need help managing DKIM selectors across multiple ESPs or planning key rotation, schedule a consultation.

Sources

• RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
• RFC 6376 Section 3.6.2.1: Selector
• Google: About DKIM
• Microsoft: DKIM with custom domains

---

v1.0 · March 2026