What is a DKIM selector?

A DKIM selector is a specific string in an email's DKIM signature that directs the recipient's mail server to the corresponding public key in your DNS records. It allows you to host multiple DKIM keys for different sending services or for key rotation.

What are common naming conventions for DKIM selectors?

You can use various naming conventions for selectors, such as dates (e.g., 202401 ), service names (e.g., mailchimp ), or simple identifiers (e.g., s1 ). Consistency helps with management.

How often should DKIM keys be rotated?

Regularly rotating your DKIM keys (e.g., annually) is a crucial security best practice. It minimizes the risk of a compromised private key being used for long-term email spoofing or fraud.

Did 2048-bit DKIM keys exist in 2018?

Yes, 2048-bit keys existed in 2018 and were becoming the preferred standard around that time, replacing the older 1024-bit keys. Many organizations transitioned to 2048-bit keys during that period.

How should DKIM selector names be interpreted and what is the recommended DKIM key size? - Technical - Email deliverability - Knowledge base

Q: What is the recommended DKIM key size?

The recommended DKIM key size is 2048-bit RSA. While 1024-bit keys still exist, they are considered less secure against modern attacks. 2048-bit provides a strong balance of security and compatibility.

Email authentication protocols like DKIM (DomainKeys Identified Mail) are foundational for good email deliverability and preventing spoofing. If you're sending emails, understanding how DKIM works is not just good practice, it's essential for ensuring your messages reach the inbox and maintain your brand's reputation. Two key components often lead to questions: DKIM selector names and the recommended key size. Let's explore what these mean and how to interpret them effectively.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DKIM selectors

A DKIM selector is a specific string of characters included in the DKIM signature within an email header. Its purpose is to help the receiving mail server locate the correct public key in your DNS records. Think of it as a pointer to the right key when your domain has multiple keys published, which is a common scenario for organizations using various sending services or for managing key rotation.

When an email is sent, the sending mail server digitally signs it using a private key. The corresponding public key is published in your domain's DNS as a TXT record. The selector is what tells the recipient's server exactly where to look for that public key. For example, if your selector is default, the public key would be found at default._domainkey.yourdomain.com.

The flexibility of DKIM selectors allows domains to use different keys for different purposes. This can be particularly useful for separating email streams, such as marketing emails from transactional ones, or when using multiple third-party email service providers (ESPs). Each provider might require its own unique selector and DKIM key.

Interpreting DKIM selector names

There's no mandated format for DKIM selector names, allowing domain owners and ESPs to choose what works best for them. This means you'll see a variety of naming conventions in the wild. Some common approaches include using dates, service names, or simple sequential numbers. For instance, a selector like 20231015 often indicates the date the key was generated or rotated. A selector like mailgun might signify the key is used for emails sent through that specific ESP.

While you might be tempted to read into the meaning of a selector, it's best to avoid over-interpreting. For example, seeing a selector with a year like 201802 could suggest a key hasn't been rotated since 2018, but it could also just be a project code or an arbitrary identifier. The primary function of the selector is identification, not conveying specific metadata. However, adopting a structured naming scheme, like including the date or key strength, can greatly assist in internal management and auditing. You can find more practical examples in our guide to DKIM selector names.

Example DKIM DNS TXT Record with SelectorDNS

default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd+..."

While selectors can technically be anything, sensible naming conventions can make your life easier. Short, descriptive selectors are generally preferred. For comprehensive information, the RFC 4871 DKIM base specification outlines the technical requirements for DKIM records, including selectors.

Best practice: clear selector naming

Adopt a consistent naming convention for your DKIM selectors. This could include the year of generation, the service sending the email (e.g., transactional, marketing), or a sequential identifier. Clear naming streamlines management and helps with key rotation. For example, 2024_main or marketing_prod are more helpful than arbitrary strings.

The significance of DKIM key size

Beyond the selector, the DKIM key size refers to the length of the RSA key used for signing and verification, measured in bits. This size is a direct indicator of the cryptographic strength of your DKIM setup. The larger the key size, the more computationally intensive it is for an attacker to break the encryption and forge a signature.

The security of your DKIM key directly impacts your domain's trustworthiness. A weak key can be compromised, allowing malicious actors to send emails that appear legitimate from your domain. This can lead to phishing attacks, brand damage, and a decline in your email deliverability as mailbox providers (like

Google and

Yahoo) detect fraudulent activity.

While larger keys offer more security, they also result in longer DNS TXT records. This can sometimes lead to issues, particularly with DNS providers that have strict character limits for TXT records. Additionally, signing and verifying with larger keys requires slightly more computational resources, though for most modern systems, this impact is negligible. It's a balance between robust security and practical implementation.

Understanding the cryptographic strength of your DKIM keys is as important as having them configured correctly. A DKIM record might validate successfully, but if its underlying key is weak, your email security is still at risk. This is why keeping up with current recommendations is vital. You can learn more about defending your DKIM key size and what ESPs support.

Recommended DKIM key sizes

For many years, 1024-bit RSA keys were the standard for DKIM. However, as computational power increased and cryptographic best practices evolved, the industry moved towards stronger keys. While 1024-bit keys are still technically supported by some systems, they are generally considered less secure and are not the recommended standard for new implementations.

The widely recommended and accepted DKIM key size today is 2048-bit RSA. This size provides a significantly higher level of security, making it much more resilient against modern cryptographic attacks. Mailbox providers, including major ones, generally accept and prefer 2048-bit keys, and many ESPs now generate them by default. You can delve into the pros and cons of 1024-bit versus 2048-bit keys.

1024-bit keys

Security: Considered less secure against advanced cryptographic attacks today.
Compatibility: Widely compatible, but decreasingly accepted by strict receivers. ISPs increasingly prefer 2048-bit keys.
Performance: Faster to generate and verify due to shorter length.

2048-bit keys

Security: Offers robust cryptographic strength, considered the current industry standard.
Compatibility: Widely accepted by most major mailbox providers and ESPs.
Performance: Slightly more demanding but negligible for modern systems.

While 4096-bit keys exist and provide even greater theoretical security, they are not yet a widespread standard. Some email service providers might not fully support them, and the added security benefit might not outweigh potential compatibility issues or increased DNS record length for many senders. RFC 8301, which updates cryptographic algorithm and key usage for DKIM, emphasizes the move to stronger keys.

When deciding on key size, always prioritize 2048-bit for new implementations or when upgrading existing ones. This aligns with current industry best practices and ensures your emails are authenticated with sufficient cryptographic strength.

Key rotation for security

Even with optimal key size, DKIM keys should not be static. Regular key rotation is a vital security practice, much like changing passwords periodically. If a private key were ever compromised (which could happen through a data breach or other security incident), rotating your keys ensures that the old, compromised key can no longer be used to sign fraudulent emails from your domain.

The frequency of key rotation can vary. Some organizations rotate annually, others quarterly. The key is to have a defined process. When you rotate a key, you typically generate a new public-private key pair, update your DNS TXT record with the new public key (under a new selector name), and configure your email sending infrastructure to use the new private key. This ensures a smooth transition without interrupting your email flow.

Adopting a systematic approach to key rotation, including a clear selector naming strategy, helps maintain a strong security posture and improves your overall email reputation. It also aligns with the broader goals of email authentication, alongside SPF and DMARC, to build trust and prevent email abuse. For guidance, check out our article on why DKIM key rotation is recommended.

Views from the trenches

Best practices

Implement a structured selector naming convention, such as including the year or service name, to easily track keys.

Regularly rotate DKIM keys (e.g., annually or bi-annually) to mitigate risks associated with potential key compromise.

Always generate DKIM keys with a minimum length of 2048 bits for new setups or when updating existing ones.

Common pitfalls

Over-interpreting selector names that might be project codes or arbitrary identifiers, not necessarily dates of key generation.

Sticking to outdated 1024-bit DKIM keys, which are becoming less secure and accepted by major mailbox providers.

Failing to rotate DKIM keys regularly, increasing the risk if a private key is ever compromised.

Expert tips

Consider 4096-bit DKIM keys as a long-term goal, though 2048-bit remains the current widely accepted standard.

Ensure a smooth transition when rotating keys by carefully updating DNS records and sending systems to avoid disruptions.

Monitor DKIM authentication results using DMARC reports to identify any issues with key validity or interpretation.

Expert view

Expert from Email Geeks says that date or key strength often tends to be specified in selectors.

2023-05-02 - Email Geeks

Marketer view

Marketer from Email Geeks says that an ESP they worked for included the abbreviated month, year, and bit count in their key names.

2023-05-02 - Email Geeks

Protecting your email reputation

Both DKIM selector names and key size are fundamental aspects of proper email authentication. Selectors provide the necessary link to locate your public key, and while their naming convention is flexible, a structured approach aids in key management. The recommended DKIM key size has evolved, with 2048-bit RSA keys being the current standard for robust security. Regular key rotation is equally crucial for maintaining the integrity of your email authentication setup.

By understanding and correctly implementing these elements, you can significantly enhance your email security, protect your domain from impersonation, and ensure better deliverability for your messages. Staying informed about evolving cryptographic standards and best practices is key to maintaining a trustworthy email presence.