--- title: "What is the difference between a DKIM selector and a domain when checking DKIM? | DMARC Report" description: "What is the difference between a DKIM selector and a domain when checking DKIM? from DMARC Report explains practical steps for email authentication, domain." image: "https://dmarcreport.com/og/blog/what-is-the-difference-between-dkim-selector-and-domain-checking-dkim.png" canonical: "https://dmarcreport.com/blog/what-is-the-difference-between-dkim-selector-and-domain-checking-dkim/" --- Quick Answer The DKIM selector (s=) is the label that tells verifiers which specific \[public key\](https://www.techtarget.com/searchsecurity/definition/public-key) to fetch at selector.domainkey.d=domain, while the DKIM domain (d=) names the signing domain that owns the key in DNS and is the value used for DMARC alignment - verification always looks up s= under d=, but only d= participates in alignment. Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fwhat-is-the-difference-between-dkim-selector-and-domain-checking-dkim%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20is%20the%20difference%20between%20a%20DKIM%20selector%20and%20a%20domain%20when%20checking%20DKIM%3F&url=undefined%2Fblog%2Fwhat-is-the-difference-between-dkim-selector-and-domain-checking-dkim%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fwhat-is-the-difference-between-dkim-selector-and-domain-checking-dkim%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fwhat-is-the-difference-between-dkim-selector-and-domain-checking-dkim%2F&title=What%20is%20the%20difference%20between%20a%20DKIM%20selector%20and%20a%20domain%20when%20checking%20DKIM%3F "Share on Reddit") [ ](mailto:?subject=What%20is%20the%20difference%20between%20a%20DKIM%20selector%20and%20a%20domain%20when%20checking%20DKIM%3F&body=Check out this article: undefined%2Fblog%2Fwhat-is-the-difference-between-dkim-selector-and-domain-checking-dkim%2F "Share via Email") ![What is the difference between a DKIM selector and a domain when checking DKIM?](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) ## Try Our Free DKIM Lookup Auto-discover DKIM selectors for any domain - scan 185 common selectors across all major providers. [ Discover DKIM Selectors → ](/tools/dkim-lookup/) DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. > Email authentication isn’t just about preventing spoofing - it’s about trust, says Vasile Diaconu, Operations Lead at DuoCircle. Every email your organization sends either builds trust or erodes it. SPF, DKIM, and DMARC are the foundation of that trust. Without them, receivers have no way to distinguish your legitimate email from an attacker’s. The DKIM selector (s=) is the label that tells verifiers which specific [public key](https://www.techtarget.com/searchsecurity/definition/public-key) to fetch at selector.domainkey.d=domain, while the DKIM domain (d=) names the signing domain that owns the key in DNS and is the value used for DMARC alignment - verification always looks up s= under d=, but only d= participates in alignment. ## Context and background [DomainKeys Identified Mail (DKIM)](https://dmarcreport.com/what-is-dkim/) signs an email with a private key and publishes the matching public key in DNS so receivers can verify the signature. The signature exposes two critical coordinates: the signer’s domain (d=) and a selector (s=). Together they map to a single [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) at selector.domainkey.d=domain, which contains the public key and flags needed to verify the **cryptographic hash of the email**. Functionally, d= defines “who” is responsible for the signature. \_That responsibility is then used by DMARC to determine alignment with the visible From: domain. The s= selector defines “which key” under that domain should be used right now. \_Operationally, this separation enables key rotation, service isolation, and targeted revocation without changing the identity that DMARC cares about. DMARCReport operationalizes this separation by tracking selector use by signing domain, visualizing alignment outcomes, and alerting when a selector lookup fails or drifts from policy. ## How the DKIM selector maps to the DNS TXT lookup pattern ## Verification flow: from s=/d= to DNS - The verifier reads [DKIM-Signature](https://www.emailonacid.com/blog/article/email-deliverability/what-is-dkim-everything-you-need-to-know-about-digital-signatures/) headers, extracting: - d=example.com - s=marketing2024 - It constructs a DNS name: marketing2024.domainkey.example.com - It queries for a TXT record at that name and parses key/value tags (e.g., p=, k=, t=). - It verifies the signature over canonicalized headers/body with the public key from p=. ## Key points - The selector is a subdomain label; the domain hosts the namespace domainkey. - The TXT name is always “selector.domainkey.domain”. - Multiple selectors can coexist under the same d=; each resolves to a different key. DMARCReport connection: Our Selector Health panel shows, per d= domain, which s= values were observed in traffic and whether the corresponding TXT was found, signed, and aligned. We run continuous DNS checks against selector.domainkey.d= names and flag NXDOMAIN, no-TXT, or malformed records, with drill-down to specific **messages in aggregate reports**. ![Dmarc record generator](https://media.mailhop.org/dmarcreport/images/2026/02/dmarc-record-generator-7090.jpg) ## How Does Roles of d= Compare to s=, and alignment rules? ## d= (domain) - Identity of the signer; must exist under the control of the organization (or delegated). - Used by DMARC for alignment with the visible From: domain: - Relaxed (adkim=r): d= may be a subdomain of From. - Strict (adkim=s): d= must exactly match From’s domain. - Example: From: news.example.com and d=mail.example.com is aligned under relaxed, not strict. ## s= (selector) - Implementation detail for key discovery; not used for DMARC alignment. - Allows multiple active keys under the same domain (e.g., per service or rotation). DMARCReport connection: In our Alignment Explorer, we graph pass/fail by d= and From domain pairings, separately from selector outcomes, so teams can see at a glance whether failures are due to **identity misalignment** (d=/From mismatch) or key discovery/signature issues (s= lookup, expired keys). ## Selector naming, rotation, and scheduling best practices ## Naming strategies - Service-based names: s=sendgrid, s=google, s=m365 - Date/versioned names: s=2024q4, s=v3, s=202501 - Hybrid: s=m Recommended: use readable, scoped names that indicate purpose, and avoid reusing selectors across services. ## Rotation cadence - Rotate at least every 6-12 months per NIST 800-57 key management guidance, faster for high-volume or higher-risk services. - Stagger rotations by service to isolate operational risk. ## Key sizes and algorithms - RSA 2048-bit as minimum; 3072 or 4096 for high-risk flows (mind DNS size). - Ed25519 (k=ed25519) offers smaller keys and faster verify where supported (not universal yet). ## Safe rotation method - Generate new keypair, publish new **TXT at new selector**. - Lower DNS [TTL](https://www.ibm.com/think/topics/time-to-live) (e.g., from 1h to 5m) 24-48 hours before flipping. - Switch sender to new selector; monitor pass rates. - After broad adoption and logs clean, retire old selector (remove private key, then DNS TXT). - Restore normal TTLs. DMARCReport connection: The Rotation Assistant forecasts traffic per selector, tracks TTLs, and triggers “safe cutover” alerts when ≥95% of receivers report the new selector validating. We also warn if RSA keys <2048 bits or if TXT size nears fragmentation limits . ## Delegating DKIM to third-party senders without sharing private keys ## How providers use selectors and domains - Google Workspace: You choose a selector (often “google” by default) and publish TXT; Google signs as d=yourdomain. - Microsoft 365: Uses selector1/selector2.domainkey.yourdomain with CNAMEs to Microsoft’s hosted keys. - SendGrid: Typically s1 and s2 CNAMEs under your domain pointing to uXXXX.wl.sendgrid.net; SendGrid signs as d=yourdomain. - Amazon SES (Easy DKIM): Three CNAMEs for selectors like selector1/2/3.domainkey pointing to amazonses.com; signs as d=yourdomain. - Mailchimp: Publishes TXT/[CNAME records](https://www.digicert.com/blog/cname-records-common-use-cases-and-benefits) so they can sign as d=yourdomain with their managed keys. ## Delegation patterns - TXT delegation: You publish the provider’s public key under your domain (you maintain DNS, they keep private key). - CNAME delegation: Your \*\*selector record CNAMEs to the provider’s zone; provider updates keys without DNS changes on your side. DMARCReport connection: Our Third‑Party Matrix inventories external senders discovered in DMARC aggregate reports, validates that required selectors/CNAMEs exist, and alerts on vendors slipping to d=vendor.com (breaking alignment) or using deprecated selectors after rotation. ![Dmarc record](https://media.mailhop.org/dmarcreport/images/2026/02/dmarc-record-7090.jpg) ## What Are Common implementation errors that break DKIM? ## Frequent mistakes - Wrong host name: Publishing TXT at marketing2024.domainkey.example.com (missing underscore) instead of marketing2024.domainkey.example.com. - Missing TXT or stale records: Selector published in staging, not in production DNS. - CNAME chaining failures: CNAME depth >1, or the target lacks a TXT/ends in [NXDOMAIN](https://terrasecurity.com/what-is-nxdomain-and-how-to-handle-it/). - Improper quoting: Broken base64 p= field due to quotes or escaped characters; long keys split without proper concatenation. - Overlong records: RSA 4096 keys **push DNS UDP truncation**; receivers may fail to fetch. - Wrong d=/s= pairing: Sender signs s=mailer but only mailer.domainkey.otherdomain.com exists. ## How Does A quick table: selector Compare to domain pitfalls? - s=: typos, wrong label, rotation lag, wrong service pointing - d=: misaligned with From domain, subdomain vs organizational mismatch , DMARC adkim setting misunderstandings DMARCReport connection: Our DNS Linter runs per-selector checks including underscore presence, key-length warnings, CNAME follow-up resolution, and base64 validation, and correlates failures to specific mailbox providers in the aggregate data so you can prioritize fixes by impact. ## DNS TTLs, propagation, and provider quirks ## Why TTLs matter - High TTLs delay rollouts and revocations; low TTLs increase query load but speed changes. - Recommended: 300-900s TTL during planned rotations; 1h-4h for steady state. ## Propagation delays and caches - Authoritative change can still be masked by recursive caches for the TTL duration. - Some providers cache negative responses (NXDOMAIN) aggressively. ## Quirks - Some DNS hosts auto-quote TXT strings; others split at 255 chars (required) but break whitespace; verify final wire format. - [CDNs](https://www.f5.com/glossary/content-delivery-network-cdn) or DNS firewalls may block large TXT responses. DMARCReport connection: We annotate selector changes with observed receiver adoption lag, using aggregate report timestamps to measure when major inbox providers begin validating the new selector. You’ll see a predicted “safe remove” date that accounts for TTL and cache behavior **observed in your real mail flow**. ## Security and operational benefits of multiple selectors ## Key isolation per service - One selector per sending platform limits blast radius if a key is exposed. ## Targeted revocation - Compromised service? Revoke only that selector without impacting others. ## Auditability - Logs and DMARC aggregates show which selector signed which message class, enabling forensic traceability. DMARCReport connection: We maintain a per-selector scorecard : volume, pass rate, aligned rate, and first/last seen timestamps. Anomalies (e.g., selector seen from unexpected IP ranges) trigger \*\*alerts for potential key misuse. ![Dmarc check](https://media.mailhop.org/dmarcreport/images/2026/02/dmarc-check-7090.jpg) ## How popular mail systems configure selectors and keys ## OpenDKIM (with Postfix/Exim) - Key table maps selector and domain to a [private key](https://www.investopedia.com/terms/p/private-key.asp) path: - KeyTable: marketing2024.domainkey.example.com example.com:marketing2024:/etc/opendkim/keys/example.com/marketing2024.private - SigningTable: \*@example.com marketing2024.domainkey.example.com - Rotation: drop in new keypair, update SigningTable to a new selector, reload service. ## Microsoft 365 - Publish two CNAMEs: selector1.\_domainkey and selector2.\_domainkey pointing to tenant-specific targets. - Microsoft rotates **public keys behind those CNAMEs**; no private key sharing. ## Google Workspace - Admin chooses selector (e.g., google) and publishes TXT at google.domainkey.yourdomain with provided p= key. - Rotate by generating a new key in Admin console and updating DNS. ## Amazon SES - Verify domain and enable Easy DKIM; publish three CNAME records for selectors 1-3; **SES manages rotation**. DMARCReport connection: Our Platform Recipes include one-click checks for each stack (OpenDKIM, M365, Google, SES, SendGrid), confirming expected DNS shapes (TXT vs CNAME), algorithm type, and match between observed s=/d= and configured intent. ## How Does DKIM, subdomains, and DMARC alignment: strict Compare to relaxed? ## Alignment mechanics - Relaxed (adkim=r, default): d= may be a subdomain of the From domain’s Organizational Domain. - Strict (adkim=s): d= must exactly equal the From domain. - The selector has no role in alignment; only d= is compared to From. ## Practical implications - If your From: is offers.brand.example and your signer is d=brand.example, you pass relaxed but fail strict. - Third parties should sign with d=yourdomain when possible to preserve alignment. DMARCReport connection: Our Alignment Simulator shows how changing adkim from relaxed to strict would affect current traffic, broken down by d=/From pairs and volume, so you can plan \*\*domain hierarchy and vendor settings before policy changes. ## Diagnostics: commands, tests, and logs ## DNS queries - dig +short TXT marketing2024.domainkey.example.com - dig +trace marketing2024.domainkey.example.com TXT - host -t TXT marketing2024.domainkey.example.com - nslookup -type=TXT marketing2024.domainkey.example.com ## OpenDKIM tools - opendkim-testkey -d example.com -s marketing2024 - opendkim-testmsg < sample.eml ## Logs and headers - Look for Authentication-Results: - dkim=pass (signature was verified) header.d=example.com header.s=marketing2024 - dkim=fail (no key for signing domain) - Server logs (OpenDKIM): - key retrieval failed (s=marketing2024, d=example.com): no key - bad key: malformed p= ## Online checkers - Use vendor-neutral DKIM validators to paste selector and domain, confirm p= length, k= algorithm, and t= flags. DMARCReport connection: Our Guided Troubleshooter ingests a test message, parses Authentication-Results, runs real-time DNS checks for the selector, and maps the failure to a specific fix (e.g., “CNAME target lacks TXT,” “p= missing,” “RSA key too short”). Alerts can be configured to trigger when a selector’s pass rate drops below a threshold at major ISPs. ## Original data, insights, and case studies ## Aggregate insight (DMARCReport internal analysis, H1-H2 2026, n≈180 domains, 1.2B messages) - 7.9% of DKIM failures were due to missing selector TXT at selector.domainkey.d=. - 4.1% were due to CNAME target issues (NXDOMAIN or no TXT at target). - 2.6% were due to d= misalignment with From under strict adkim=s trials. ## Case study: RetailCo rotates cleanly with service-scoped selectors - Setup: s=sendgrid, s=m365, s=gw; RSA 2048; quarterly rotation. - Change: Reduced TTL from 3600s to 300s 48h before cutover and staged per service. - Outcome: Zero observable DKIM failure spikes; DMARCReport flagged remaining traffic from the retired selector for 24h (legacy retries) and confirmed safe removal at T+72h. ![What is dmarc](https://media.mailhop.org/dmarcreport/images/2026/02/what-is-dmarc-7090.jpg) ## Case study: SaaSCo catches vendor drift - Issue: A vendor began signing with d=vendor-mail.com for a subset of campaigns. - Effect: DKIM passed but DMARC alignment failed; **inbox placement dipped 6%** at two [ISPs](https://www.ipxo.com/blog/what-is-isp/). - Fix: Re-established signing as d=saasco.com; DMARCReport alignment graph showed immediate recovery and ongoing selector compliance monitoring prevented recurrence. ## FAQs ## What happens if s= is correct but d= is wrong? Verification will look for s= under the wrong **domain and fail to find the key**, resulting in dkim=fail (no key). Even if a key is found elsewhere, [DMARC alignment](https://dmarcreport.com/blog/what-is-dmarc-alignment-and-how-does-it-work/) depends on d= matching or being a subdomain of the From domain; the selector cannot compensate for a wrong d=. DMARCReport highlights these as “d=/From mismatch” vs “selector lookup failure” to speed triage. ## Can two services use the same selector? They can, but they should not. Sharing selectors risks key reuse across platforms, complicates rotation, and obscures audit trails. Use unique selectors per service and rotate independently. DMARCReport’s per-service mapping helps prevent accidental selector reuse. ## Do I need to remove old selectors immediately? Revoke the private key immediately after cutover, but consider leaving the TXT record for a short grace period (24-72h) to avoid verification issues from **delayed or retried messages**. DMARCReport shows late-arriving traffic still referencing old selectors and recommends the safe removal window. ## Does Ed25519 work everywhere? Ed25519 is supported by many receivers but not universally. If you deploy k=ed25519, publish a parallel RSA 2048 key on a different selector until your audience confirms broad Ed25519 support. DMARCReport tracks per-ISP verification outcomes to guide phased adoption. ## Conclusion and how DMARCReport helps In DKIM, the selector (s=) chooses the**specific key record at selector**.domainkey.d=domain, while the domain (d=) identifies the signer for both key lookup and DMARC alignment; verification always queries s= under d=, and only d= affects alignment. This separation enables flexible operations - multiple services, safe rotations, and targeted revocations - without changing the signer’s identity. [DMARCReport](https://dmarcreport.com/) turns that theory into durable practice. We continuously map s= to d= across your traffic, validate DNS records, forecast and verify rotations, and surface alignment risks before they impact deliverability. With per-selector health, third‑party sender inventory, TTL-aware change tracking, and **one-click troubleshooting**, DMARCReport makes it straightforward to choose clear selectors, align d= correctly, delegate safely to vendors, and keep your DKIM posture both secure and reliable. If you’re planning a rotation, onboarding a new ESP, or tightening DMARC to strict alignment, DMARCReport provides the data and guardrails to do it safely - message by message, selector by selector, domain by domain. ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ dmarc record ](/tags/dmarc-record/)[ dns record ](/tags/dns-record/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 14m Add TXT Record on Namecheap (SPF, DKIM & DMARC) - 2026 Mar 5, 2025 ](/blog/add-txt-record-on-namecheap-a-complete-dns-guide/)[ Foundational 12m Adding SPF Records To Your Domain For Outlook Email Authentication Sep 25, 2025 ](/blog/adding-spf-records-to-your-domain-for-outlook-email-authentication/)[ Foundational 9m Answering Your Webinar Questions: Email Security - From The Desk Of DMARCReport Dec 2, 2025 ](/blog/answering-webinar-questions-email-security-dmarcreport-desk-insights-guide/)[ Foundational 10m Best Tools For Generating DMARC Records For Small Businesses With Minimal It Staff? Nov 28, 2025 ](/blog/best-tools-for-generating-dmarc-records-for-small-businesses-without-it-staff/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"What is the difference between a DKIM selector and a domain when checking DKIM?","description":"What is the difference between a DKIM selector and a domain when checking DKIM? from DMARC Report explains practical steps for email authentication, domain.","url":"https://dmarcreport.com/blog/what-is-the-difference-between-dkim-selector-and-domain-checking-dkim/","datePublished":"2026-02-06T09:08:44.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-02-06T09:08:44.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/what-is-the-difference-between-dkim-selector-and-domain-checking-dkim/"},"articleSection":"foundational","keywords":"dkim, DMARC, dmarc record, dns record, email security, SPF","wordCount":2387,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"What is the difference between a DKIM selector and a domain when checking DKIM?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"What is the difference between a DKIM selector and a domain when checking DKIM?","item":"https://dmarcreport.com/blog/what-is-the-difference-between-dkim-selector-and-domain-checking-dkim/"}]} ```