DKIM glossary

What is a DKIM selector and how do you find it?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

A DKIM selector is the label that tells a receiving server which public key to use to verify a message. It's the s= value in the DKIM-Signature header, and it points to a DNS record at <selector>._domainkey.<domain>. To find yours, open a sent message's raw headers and read the s= tag.

selector at a glance
Tags (selector)
Valid valuesAny DNS-label string the sender chooses, e.g. google, selector1, s1, k1
DefaultNo default — every signature carries a selector, and each key needs its own.
Where it goesThe s= tag inside the DKIM-Signature header; also the leftmost label of the DNS key name.

How selector works

A domain can publish many DKIM keys at once, so a receiver needs to know which one signed the message in front of it. The selector is that pointer. The s= tag in the DKIM-Signature header names it, and the receiver fetches the matching public key from DNS at <selector>._domainkey.<yourdomain>.

To find your own selector, open a message you've sent and view its raw headers — in Gmail, use the three-dot menu and choose Show original. Read the s= value in the DKIM-Signature line. Selector names vary by sender: Google Workspace often signs with google, and Microsoft 365 commonly uses selector1 and selector2. Labels like s1 or k1 are common at various ESPs, so the header is the only authoritative source.

Selectors are what make key rotation painless. Publish a new key under a new selector, switch signing to it, then retire the old one — with no window where mail goes out unsigned. That's why a single domain routinely has several selectors live at the same time.

Correct record vs common mistake

Correct

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; ...

The s= selector resolves to a real key at selector1._domainkey.example.com, so the receiver can fetch the public key and verify the signature.

Common mistake

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=oldkey; ...

Signing with a selector whose DNS record was deleted. The receiver looks up oldkey._domainkey.example.com, finds nothing, and DKIM fails.

Troubleshooting selector

IssueLikely causeFix
DKIM fails with 'no key for signature'The selector in the header has no matching TXT record in DNSPublish the key at <selector>._domainkey.<domain>, or point the sender at a selector that already exists
Can't tell which selector to publishVendor docs are vague and the header hasn't been checkedSend a test message to yourself, read the s= tag in the raw headers, and create exactly that selector
Key rotation broke signingSigning switched to the new selector before its DNS record propagatedPublish and propagate the new selector's key first, then move signing over, then retire the old selector

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Every client sender — Microsoft 365, Google, the CRM, the invoicing tool — signs under its own selector, so one tenant can easily have a dozen. Miss one while auditing and a legitimate stream fails DKIM quietly. Track selectors per sender, per client, not just per domain, or alignment gaps hide in plain sight.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade discovers which selectors each client domain is actually signing with, straight from the DMARC reports rather than guesswork, so every legitimate sender stays aligned as it walks the domain from p=none to reject.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

Open a message you sent and view its raw headers — in Gmail, click the three-dot menu and choose Show original. Find the DKIM-Signature line and read the s= value. That string is your selector.

It's a short, DNS-safe label such as google, selector1, s1, or k1. There is no fixed format — each sender picks its own — so the value in your DKIM-Signature header is the only one that matters.

Yes, and most domains do. Each sending service and each key gets its own selector, which is exactly how you rotate keys or add a new sender without breaking existing signatures.

As a TXT record at <selector>._domainkey.<yourdomain>, holding the public key. The selector is the leftmost label, followed by the fixed _domainkey label and your domain.

No. The selector and the public key it points to are meant to be public — receivers must fetch them to verify. Only the private signing key is kept secret.

Related terms

What is DKIM? DomainKeys Identified Mail explained