The short answer is yes, but it's a bit more nuanced than that. A DKIM selector needs to be unique for each different email sending service you use with your domain. You can, and often must, have multiple DKIM records for a single domain. Each of these records will have its own unique selector.
This is a common practice and is essential for properly authenticating all the email you send from various platforms. Many businesses use different services for marketing emails, transactional emails, and internal corporate emails. Each service will need its own DKIM configuration.
Let's say you use Google Workspace for your company's email and another service for your marketing newsletters. You would set up one DKIM record for Google and another for your newsletter provider. Each would have a distinct selector, for example, google for Google and maybe mktg1 for the marketing service. This ensures that receiving mail servers can find the correct public key to verify the signature, regardless of which service sent the email.
What is a DKIM selector?
A DKIM selector is simply a piece of text that you specify when you create a DKIM record. It's part of the DNS record and acts as a pointer. When an email is sent, the DKIM signature in the email's header includes the selector that was used.
The receiving mail server then takes that selector and the domain name to perform a DNS lookup to find the corresponding public key. For a selector of s1 and the domain example.com, the server would look for a TXT record at s1._domainkey.example.com. If it finds a valid public key there, it uses it to verify the email's signature.
Why you need unique selectors for each sending service
Each sending service (like Google Workspace, Salesforce, or Mailgun) manages its own email signing infrastructure. This means each service uses its own unique private key to sign the emails you send through them. For DKIM to work, the corresponding public key must be published in your DNS. Since you have different private keys for each service, you need a way to publish different public keys.
This is where unique selectors come in. As GoDMARC states, you should not reuse the same DKIM selector for different services. Each service needs its own record with a unique selector. This allows you to have multiple, separate DKIM records under the same domain, one for each service you authorize to send email on your behalf.
If you were to use the same selector for two different services, you could only publish one public key in your DNS for that selector. This would cause DKIM authentication to fail for one of the services, because the published public key would not match the private key it used to sign the email.
Key takeaways
To correctly set up DKIM for your domain, remember these key points:
- Use unique selectors. Every email sending service you use needs its own DKIM record with a unique selector.
- Multiple records are normal. It is standard and necessary to have multiple DKIM records for a single domain.
- Follow provider instructions. Your email service providers will give you the exact selector and record value you need to add to your DNS.
In conclusion, while a selector itself doesn't have to be globally unique across the entire internet, it absolutely must be unique for each sending service within your specific domain's DNS. This is fundamental to how DKIM works and is essential for maintaining good email deliverability.
