The s= tag is a required component of a DKIM signature, one of the three main email authentication standards alongside SPF and DMARC. DKIM (DomainKeys Identified Mail) works by adding a cryptographic signature to your email headers. This signature acts as a digital seal, proving that the email originated from an authorized server and that its contents haven't been tampered with in transit. The s= tag is a crucial part of that signature.
In short, the s= tag represents the DKIM 'selector'. The selector tells the receiving email server where to look in your domain's DNS records to find the public key needed to verify the email's signature. Think of it as a specific name or label for your DKIM key. Because you can have multiple DKIM keys for a single domain, the selector is what allows you and receiving servers to distinguish between them.
How does the DKIM selector work in practice?
When a mail server receives an email, it looks for the DKIM-Signature header. Inside this header, it finds several tags, including the s= tag for the selector and the d= tag for the sending domain.
The server then combines these two pieces of information to perform a DNS lookup. It queries for a TXT record at a specific address formatted like this: selector._domainkey.domain.com. For example, if your selector was google and your domain was suped.com, the server would look for a TXT record at google._domainkey.suped.com. The value of this TXT record is the public DKIM key, which the server then uses to validate the signature on the email.
Why are selectors so important?
The use of selectors is not just for organization; it provides crucial flexibility and security for your email program. As Email on Acid explains, a DKIM signature is key to helping mailbox providers verify you as the sender. Selectors enhance this process in several ways:
- Key rotation: It is a security best practice to change your cryptographic keys regularly. Selectors make this process seamless. You can publish a new DKIM key with a new selector (e.g., s=q2-2024) while your old key and selector are still active. You can then update your sending applications to use the new key and, once the transition is complete, you can safely remove the old DNS record without interrupting mail flow.
- Segregation of mail streams: Most organizations send email from multiple platforms. For example, you might use Google Workspace for corporate mail, another service for marketing newsletters, and a third for transactional receipts. By using a unique selector for each service (e.g., s=google, s=marketing, s=transactional), you can manage the keys for each service independently. If one service's key is compromised, you only need to revoke and replace that specific key, leaving your other mail streams unaffected.
Ultimately, the s= selector tag is a small but powerful component of DKIM that enables proper key management, security, and organization for your email authentication.
