How to find a DKIM selector for your domain?

DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, General Manager of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report

How to find a DKIM selector for your domain?

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-19762">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/01/How-to-find-a-DKIM-selector-for-your-domain.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M59S">1:59</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-19762" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-19762" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-19762" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-19762" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/how-to-find-a-dkim-selector-for-your-domain/&t=How to find a DKIM selector for your domain?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/how-to-find-a-dkim-selector-for-your-domain/&url=How to find a DKIM selector for your domain?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/01/How-to-find-a-DKIM-selector-for-your-domain.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/how-to-find-a-dkim-selector-for-your-domain/" class="input-link input-link-19762" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-19762" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="x5uOL0hffD"><a href="https://dmarcreport.com/blog/podcast/how-to-find-a-dkim-selector-for-your-domain/">How to find a DKIM selector for your domain?</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/how-to-find-a-dkim-selector-for-your-domain/embed/#?secret=x5uOL0hffD" width="500" height="350" title=""How to find a DKIM selector for your domain?" - DMARC Report" data-secret="x5uOL0hffD" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-19762” readonly/>

					<button class="copy-embed copy-embed-19762" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

A DKIM selector is a keyword, an ID, or a string that makes a DKIM key unique. It’s generated by appending the selector to your sending domain. Let’s say your domain is company.com, and your selector is mail1; you create a DKIM key by appending it to a .domainkey.

Here’s what it would look like- **mail1.domainkey.company.com Let’s see how you can find your DKIM selector.

2 ways to find your DKIM selector

If you are struggling to find a DKIM selector for your domain, then here are two ways to do it-

1. Finding the DKIM selector using a test mail

By sending a test email to your inbox, you can confirm if your messages are DKIM-signed. This will also help you locate your DKIM selector. Here are the steps for Outlook as the inbox . These remain pretty much the same for other mailboxes, too.

• Send a test email to your email address.

• Open the received email in Outlook.

• From the message details icon (ellipsis), go to ‘View’ and select ‘View Message Details’ from the drop-down menu.

• Once the email headers are visible, scroll down to locate the ‘DKIM-Signature’ section. Alternatively, press ‘Ctrl + F’ and search for ‘DKIM-Signature.’

• In the second line of the ‘DKIM-Signature,’ find the tag ‘s=,’ which represents the associated selector. In this example, the DKIM selector is ‘s=k1.’

  

2. Finding the DKIM selector through the email service provider

If you use a third-party provider to send emails, your messages are typically DKIM-signed by default. To confirm your emails are DKIM signed and identify the associated DKIM selector, follow these steps. For this example, we used Mailgun:

• Log in to your Mailgun account.

• Navigate to the ‘Sending’ drop-down menu.

• Select the ‘Domain Settings’ tab.

• Go to the ‘DNS Records’ category (it defaults to the Overview tab).

• Locate your DKIM key in the ‘DKIM’ section.

DKIM selector best practices

Configuring the DKIM selector requires mindfulness and technical expertise . Considering these **best practices will help-

1. Configure unique selectors

Avoid using easily guessable and short selectors, as threat actors can predict them. Don’t use generic names like ‘default,’ ‘selector1,’ or ‘mail.’ Instead, use a combination of alphanumeric characters and random strings. For example, use ‘s=dkim2025xyz1’ rather than ‘s=default.’

2. Use longer keys

Choose DKIM keys that are at least 1024 bits long. 2048 and 4096 bits are better, as they offer **stronger security against brute force and similar attacks. A longer key increases the time and computational power required for attackers to break it.

3. Rotate your DKIM keys and selectors regularly

Periodically rotate your DKIM keys and selectors to reduce the risk of their compromise. Updating your selectors ensures that even if an older key is exposed, it will no longer pose a threat. Also, clearly document your selector naming practices to streamline the process of rotating and managing DKIM keys and selectors. This will also help you **prevent configuration issues and confusion among team members.

Final words

It isn’t easy to manage email authentication protocols, but if you consistently follow best practices and document your changes, you’ll be good to go. For DKIM, it’s important to use **unguessable selectors and rotate them periodically. Contact us or DMARCReport for expert consultation.