Summary
Finding a DKIM record without the selector is extremely challenging. The selector differentiates multiple DKIM keys for a domain and is essential to locate the correct public key in DNS. The primary method to find the selector involves inspecting email headers, specifically the DKIM-Signature ('s=' parameter). Some experts suggest tools (like xnnd.com) for guessing, while others recommend checking your email service provider (ESP) settings. However, lacking the selector significantly hinders DKIM record retrieval. While domains can have multiple DKIM keys, using too many is discouraged as they may conflict. Authentication should focus on the 'mailfrom' address and not just the header from address. Essentially, without that selector, direct retrieval via DNS is impossible.
Key findings
- Selector Critical: DKIM selector is crucial for locating the correct DKIM record.
- Header Inspection: DKIM-Signature header ('s=') is the primary source for identifying the selector.
- Limited Options: Finding the DKIM record without the selector is exceedingly difficult to impossible.
- Domain Control: If you control the domain, check ESP settings for DKIM configuration.
- Key Management: Having more than one DKIM key may cause conflicts, hence it should be avoided.
Key considerations
- Access to Emails: Header inspection requires access to emails from the target domain.
- Guessing Unreliable: Guessing selectors is not reliable and may not yield the correct key.
- Configuration Accuracy: Ensure the DKIM configuration is checked at the email service provider and has been accurately entered into DNS settings.
- Mailfrom importance: Pay attention to authentication settings in relation to mailfrom
What email marketers say
13 marketer opinions
Finding a DKIM record without knowing the selector is challenging. The selector is essential for locating the correct public key in DNS. The recommended approach involves inspecting email headers (specifically the DKIM-Signature header, looking for 's=') of emails originating from the domain in question. If you control the domain, check your email service provider's DKIM settings. Guessing selectors (e.g., 'google', 's1', 'default') is sometimes possible, but not reliable. Tools and MX lookups might indirectly help but still generally require the selector. Ultimately, the DKIM selector differentiates between multiple DKIM keys for a single domain, so without it, identifying the correct DNS TXT record becomes very difficult.
Key opinions
- Selector Importance: The DKIM selector is crucial for finding the correct DKIM record in DNS.
- Header Inspection: The DKIM-Signature header in email headers reveals the selector ('s=').
- Limited Options: Without the selector, finding the DKIM record is exceedingly difficult.
- ESP Settings: If you control the sending domain, check your ESP's DKIM settings.
Key considerations
- Email Access: You need access to emails from the domain in question to inspect headers.
- Selector Guessing: Guessing the selector is unreliable but might be attempted as a last resort.
- DKIM rotation: Consider that selector rotation is possible for security purposes.
- Multiple Keys: DKIM selectors allow for multiple keys, increasing complexity if unknown.
Marketer view
Email marketer from Mailhardener states that DKIM selectors let you publish multiple DKIM keys for different purposes, senders, or servers using the same domain. Finding the public DKIM key without knowing the selector is going to be nearly impossible because it can't be queried.
8 Dec 2024 - Mailhardener
Marketer view
Email marketer from EmailSecuritySPF shares that DKIM selectors help to differentiate between multiple DKIM keys and records, if the selector isn't known then you're unable to identify the corresponding TXT record in DNS.
8 Sep 2022 - EmailSecuritySPF
What the experts say
4 expert opinions
Experts suggest either guessing the DKIM selector using tools like xnnd.com or examining email headers for the DKIM-Signature to identify it. Additionally, it's advised to avoid using multiple DKIM keys, as it can lead to conflicts. When checking email authentication, use the mailfrom address rather than just the header from address.
Key opinions
- Selector Guessing: Tools like xnnd.com can be used to guess the DKIM selector.
- Header Analysis: Reviewing email headers for the DKIM-Signature is crucial for identifying the DKIM selector.
- Avoid Multiple Keys: Using multiple DKIM keys can cause conflicts and is generally not recommended.
- Mailfrom Authentication: When checking email authentication, use the mailfrom address.
Key considerations
- Effectiveness of Guessing: Guessing tools might not always be accurate in identifying the correct selector.
- Header Interpretation: Correctly interpreting email headers requires technical knowledge.
- Key Management: Properly managing DKIM keys is important to avoid conflicts and ensure email deliverability.
- Authentication Scope: Ensuring proper authentication checks across all email sources is essential for avoiding spoofing.
Expert view
Expert from Word to the Wise explains to check authentication you need to use mailfrom, and not just the header from.
21 Jul 2022 - Word to the Wise
Expert view
Expert from Word to the Wise explains that having multiple DKIM keys is not a good idea and it is better to not do this, if you do then one signing key will clobber the other signing key.
9 Oct 2022 - Word to the Wise
What the documentation says
4 technical articles
Documentation indicates that the DKIM selector is a string that distinguishes multiple DKIM keys for a single domain, enabling key rotation and different keys for various services. It is essential for locating the correct public key, stored as a TXT record in DNS following the format [selector]._domainkey.example.com. Without the selector, querying for the correct DKIM record and verification is impossible.
Key findings
- Selector Purpose: DKIM selector distinguishes multiple DKIM keys for a domain.
- Key Rotation: Selectors facilitate key rotation and service-specific keys.
- DNS Storage: DKIM records are stored as TXT records in DNS.
- Selector Necessity: Without the selector, the correct DKIM record cannot be located or verified.
Key considerations
- Record Naming: The DNS record name includes the selector.
- Multiple Keys: Domains can use multiple DKIM keys, each with a unique selector.
- Verification Impact: Missing selector prevents verification of signed emails.
- Complexity: Managing multiple DKIM keys and selectors increases complexity.
Technical article
Documentation from DMARC Analyzer explains that a DKIM selector is used to publish multiple DKIM keys for a single domain. This allows a domain to rotate keys more easily and use different keys for different services or subdomains. Without the selector, it's not possible to query for the correct DKIM record.
21 Feb 2025 - DMARC Analyzer
Technical article
Documentation from RFC6376 (DKIM standard) explains that the selector is a string used to locate the correct public key. A domain can publish multiple DKIM keys, and the selector indicates which key was used to sign a particular message. Without the selector, the receiving server cannot determine which key to use for verification.
19 May 2025 - RFC6376
Are people using 4096-bit DKIM keys, and what is the recommended DKIM key length?
Do DKIM selectors affect email reputation?
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How should DKIM selector names be interpreted and what is the recommended DKIM key size?
