How to find a DKIM selector for your domain?
A DKIM selector is a keyword, an ID, or a string that makes a DKIM key unique. It’s generated by appending the selector to your sending domain. Let’s say your domain is company.com, and your selector is mail1; you create a DKIM key by appending it to a ._domainkey.
Here’s what it would look like- mail1._domainkey.company.com
Let’s see how you can find your DKIM selector.
2 ways to find your DKIM selector
If you are struggling to find a DKIM selector for your domain, then here are two ways to do it-
1. Finding the DKIM selector using a test mail
By sending a test email to your inbox, you can confirm if your messages are DKIM-signed. This will also help you locate your DKIM selector. Here are the steps for Outlook as the inbox. These remain pretty much the same for other mailboxes, too.
- Send a test email to your email address.
- Open the received email in Outlook.
- From the message details icon (ellipsis), go to ‘View’ and select ‘View Message Details’ from the drop-down menu.
- Once the email headers are visible, scroll down to locate the ‘DKIM-Signature’ section. Alternatively, press ‘Ctrl + F’ and search for ‘DKIM-Signature.’
- In the second line of the ‘DKIM-Signature,’ find the tag ‘s=,’ which represents the associated selector. In this example, the DKIM selector is ‘s=k1.’
2. Finding the DKIM selector through the email service provider
If you use a third-party provider to send emails, your messages are typically DKIM-signed by default. To confirm your emails are DKIM signed and identify the associated DKIM selector, follow these steps. For this example, we used Mailgun:
- Log in to your Mailgun account.
- Navigate to the ‘Sending’ drop-down menu.
- Select the ‘Domain Settings’ tab.
- Go to the ‘DNS Records’ category (it defaults to the Overview tab).
- Locate your DKIM key in the ‘DKIM’ section.
DKIM selector best practices
Configuring the DKIM selector requires mindfulness and technical expertise. Considering these best practices will help-
1. Configure unique selectors
Avoid using easily guessable and short selectors, as threat actors can predict them. Don’t use generic names like ‘default,’ ‘selector1,’ or ‘mail.’ Instead, use a combination of alphanumeric characters and random strings. For example, use ‘s=dkim2025xyz1’ rather than ‘s=default.’
2. Use longer keys
Choose DKIM keys that are at least 1024 bits long. 2048 and 4096 bits are better, as they offer stronger security against brute force and similar attacks. A longer key increases the time and computational power required for attackers to break it.
3. Rotate your DKIM keys and selectors regularly
Periodically rotate your DKIM keys and selectors to reduce the risk of their compromise. Updating your selectors ensures that even if an older key is exposed, it will no longer pose a threat. Also, clearly document your selector naming practices to streamline the process of rotating and managing DKIM keys and selectors. This will also help you prevent configuration issues and confusion among team members.
Final words
It isn’t easy to manage email authentication protocols, but if you consistently follow best practices and document your changes, you’ll be good to go. For DKIM, it’s important to use unguessable selectors and rotate them periodically. Contact us or DMARCReport for expert consultation.
