What is a DKIM selector?

A DKIM selector is the short name that points a receiver to the right public key. When your mail server signs a message, it adds a DKIM-Signature header containing a domain tag (d=) and a selector tag (s=). The receiver combines them — s=<selector> plus d=<domain> — into the DNS location <selector>._domainkey.<domain> and fetches the public key from there. The selector is simply the first label in that path.

Why selectors exist

Without selectors, a domain could only ever have one DKIM key, published at a single fixed location. That breaks down the moment you send from more than one place. Picture a domain with four mail flows: Google Workspace for staff mail, SendGrid for transactional, Mailchimp for newsletters, and Zendesk for support. Each service signs with its own private key and needs its own public key in DNS. Selectors namespace those keys so they never conflict — google._domainkey, s1._domainkey, mailchimp._domainkey, zendesk1._domainkey each hold a different key. Each signer references its own selector in the messages it sends; the receiver only ever looks up the selector named in the signature on that specific message. No service can step on another service's key, and each can rotate independently.

Why providers use predictable selectors

Most email platforms pick a fixed selector convention so their setup instructions are consistent across customers. Common ones:

• Google Workspace — google
• Microsoft 365 — selector1 and selector2 (published as CNAMEs)
• Amazon SES — three random-looking selector CNAMEs
• Mailchimp — k1
• Postmark — pm
• Hand-built / self-hosted — default, dkim, mail, or a date like dk2026

There is no technical rule about the name — any valid DNS label works. Short names are slightly preferable because the selector travels in the header of every message you send.

How to find which selector you use

Because there is no fixed location to query, you discover selectors rather than guess blindly:

1. Read a signed message. Open the raw headers of any email from your domain and find the s= tag in the DKIM-Signature line — that is your live selector.
2. Check your provider's dashboard. Every ESP shows the selector in its DKIM setup section.
3. Use a checker. The IntoDNS.ai DKIM checker probes a curated list of common selectors and reports which are active, or you can enter your exact selector for a direct lookup.

Selectors and key rotation

Selectors are what make safe key rotation possible. Because a domain can hold several keys at once, you never have a gap where mail is unsigned:

1. Generate a new key pair under a fresh selector (e.g. dk2026q3) — the DKIM generator creates one in your browser.
2. Publish the new selector's public key alongside the existing one.
3. Switch your signer over to the new selector.
4. After a grace period (a week is conservative), revoke the old key by deleting the record or setting p= empty.

Best practice in 2026 is to rotate every 6 to 12 months. Avoid two TXT records at the same selector name — resolvers pick one at random, which breaks verification intermittently. To go deeper on rotation cadence and key length, read the DKIM guide.