What is a DKIM selector?

A DKIM selector is a unique name included in the DKIM-Signature header of an email. It tells receiving mail servers where to find the corresponding public key in the domain's DNS records, which is essential for authenticating the email's signature.

Can I have multiple DKIM records for one domain?

Yes, you can have multiple DKIM records for a single domain. Each record must use a unique selector . This is common when using several email service providers (ESPs) or managing different email streams from your domain, like marketing emails and transactional emails.

Why would I need multiple DKIM selectors?

Multiple selectors are useful for several reasons. They allow different email service providers to sign emails independently, facilitate secure DKIM key rotation without service interruption, and can help segment email traffic for easier troubleshooting and enhanced security.

Does each DKIM selector require a unique private key?

Yes, each DKIM selector should correspond to its own unique public-private key pair. Using a single private key for multiple selectors is not recommended as it complicates key management and can lead to authentication failures or security vulnerabilities. Each selector should uniquely identify a specific public key in your DNS.

How do I add a new DKIM selector to my domain?

To add a new DKIM selector, you'll generate a new DKIM key pair, often provided by your email service provider. Then, you create a new TXT record in your domain's DNS settings. The hostname for this record will typically be newselector._domainkey.yourdomain.com , where newselector is your chosen unique selector. The value of the TXT record will be the public key.

Does a DKIM record's selector need to be unique per domain? - DKIM - Email authentication - Knowledge base

An illustration depicting the complex authentication process of DKIM within an email network

When you're setting up DomainKeys Identified Mail (DKIM), a common question arises regarding the uniqueness of its selector. DKIM is a crucial email authentication standard that helps protect your domain from impersonation and phishing. It allows an organization to take responsibility for transmitting a message by signing it cryptographically.

The DKIM selector is a key part of this mechanism. It's essentially a name used to locate the public key in your domain's DNS records, which is then used by receiving mail servers to verify the cryptographic signature on your outgoing emails. Without a functioning selector, DKIM authentication fails, potentially impacting your email deliverability rates.

The short answer to whether a DKIM record's selector needs to be unique per domain is yes, within the context of a single public key lookup. However, this doesn't mean you can only have one DKIM record or one selector for your entire domain. In fact, many organizations utilize multiple selectors, and it's often a best practice.

The role of DKIM selectors

A DKIM selector acts like a pointer. When a receiving mail server gets an email signed with DKIM, it extracts the DKIM selector from the email header. It then uses this selector, along with the signing domain, to query the DNS for the corresponding public key. For example, if your signing domain is example.com and the selector is s1, the receiving server will look for a TXT record at s1._domainkey.example.com. Each unique selector within a domain points to a specific public key.

The uniqueness requirement means that you cannot have two different public keys published under the exact same selector (e.g., s1._domainkey.example.com) for the same domain simultaneously. If you did, the receiving mail server wouldn't know which public key to use for verification, leading to a DKIM failure. However, you can have multiple DKIM selectors and therefore multiple DKIM records for a single domain, as long as each selector is unique.

This design allows for significant flexibility. For instance, different email service providers (ESPs) you use might provide their own DKIM keys and suggest specific selectors for them. This is a common and perfectly valid configuration. It ensures that each email stream, whether from your main CRM or a transactional email service, is properly authenticated.

Why multiple DKIM selectors are necessary

An illustration showing multiple unique keys, each with a different selector, unlocking a single large lock representing a domain.

The ability to use multiple DKIM selectors per domain is not just allowed, it's often a necessity for maintaining robust email security and deliverability. Consider the scenarios where you might send emails from various sources under the same domain. For example, your marketing emails might go through HubSpot, your transactional emails via SendGrid, and internal communications from Google Workspace or Microsoft 365. Each of these services might generate its own DKIM key pair and assign a specific selector to differentiate its signed emails.

Another critical reason for multiple selectors is key rotation. Regularly rotating your DKIM keys is a vital security practice, as it minimizes the risk of a compromised key being exploited by attackers. To do this seamlessly without interrupting email flow, you can provision a new key with a new, unique selector, gradually transition your sending volume to it, and then decommission the old key. This strategy ensures continuous authentication.

Single selector approach

Complexity: Requires all email services to use the same key or for you to manage a single key across multiple platforms, which can be challenging.
Security: If a single key is compromised, all email streams are at risk, necessitating an emergency key replacement that can disrupt service.
Maintenance: Key rotation is more difficult and risky, potentially leading to service outages during transitions.

Multiple selectors approach

Complexity: Each email service provider (like SendGrid or HubSpot) manages its own DKIM key and selector, simplifying integration.
Security: Limits the blast radius of a compromised key. If one key is breached, only emails from that specific service are affected.
Maintenance: Allows for seamless DKIM key rotation by adding new selectors before removing old ones, without downtime.

In essence, using multiple unique selectors for your domain allows you to segment your email sending infrastructure and enhance overall security and management. It prevents the problem of using the same DKIM domain and selector for campaigns from various sources, which could otherwise lead to confusion and authentication issues.

Configuring DKIM with multiple selectors

Configuring DKIM with multiple selectors involves adding multiple TXT records to your domain's DNS. Each record will have a unique hostname based on the selector provided by your email service. For instance, if you use Mailchimp and SendGrid, you might have two distinct DKIM records:

Example DKIM TXT RecordsDNS

s1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn...

Example DKIM TXT Records (continued)DNS

s2._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Here, s1 and s2 are your unique DKIM selectors. Each one is associated with a different public key and is used by a specific email sending service. This is completely standard and supported by DKIM specifications. For more detailed DKIM selector examples, you can refer to guides on configuring email authentication for various providers.

Important: Can a single DKIM private key be used for multiple selectors?

While you can have multiple selectors for a domain, each selector should correspond to a distinct public-private key pair. This means that a single DKIM private key should not be used for multiple selectors. Each selector is intended to reference a unique public key. Trying to use one private key with multiple selectors complicates key management and can lead to authentication issues. For clarity on this, refer to discussions about using a single private key for multiple selectors.

Impact on email deliverability and security

Proper DKIM implementation, especially with multiple selectors, significantly boosts your email deliverability and helps prevent email spoofing (impersonation). When DKIM aligns with SPF, it strengthens your DMARC policy, which instructs receiving mail servers on how to handle emails that fail authentication. This means fewer emails landing in recipients' spam folders and greater trust in your brand's communications. Microsoft Learn provides a helpful resource on setting up DKIM to sign mail for your cloud domain.

Monitoring your DKIM performance and DMARC reports is essential. Tools like Suped provide real-time visibility into your email authentication status, helping you identify and resolve any DKIM failures, such as DKIM body hash mismatch errors or TempError issues. With its AI-powered recommendations and unified platform for DMARC, SPF, and DKIM monitoring, Suped offers comprehensive DMARC monitoring and reporting that simplifies the process, making it accessible even for organizations with complex sending infrastructures and multiple DKIM selectors.

Beyond deliverability, robust DKIM configurations enhance your domain's reputation. Receiving servers, like those at Google and Yahoo, consider authenticated emails more trustworthy, reducing the likelihood of your messages being sent to the junk folder or being blocked entirely. This is especially important as major mailbox providers continue to tighten their email authentication requirements.

Summary of DKIM selector uniqueness

A DKIM record's selector does need to be unique for each specific public key within a given domain. However, this doesn't restrict you to only one DKIM record per domain. On the contrary, having multiple unique selectors is a common and recommended practice for organizations that use various email sending services or need to perform DKIM key rotation for security reasons.

By understanding the role of selectors and implementing them correctly, you can ensure that all your legitimate email traffic is properly authenticated, improving deliverability, strengthening your brand's reputation, and bolstering your overall email security posture. Always verify your DKIM DNS records and monitor their performance to catch any issues promptly.

For ongoing management and insights into your email authentication, DMARC monitoring tools are invaluable. They provide the visibility needed to ensure your DKIM and DMARC policies are functioning as intended, giving you peace of mind that your emails are reaching their intended inboxes.