When you first set up DomainKeys Identified Mail (DKIM), you might only create a single record. But as your organization's email needs grow, you'll quickly find that using multiple DKIM selectors is not just possible, it's often a necessity. A DKIM selector is simply a pointer that allows a receiving mail server to find the correct public key in your DNS to verify an email's signature. It's the piece that connects a specific email to a specific key.
Think of it like having different keys for different doors to your house. You might have one for the front door, one for the back door, and one for the garage. Selectors work in a similar way for your domain's email, allowing you to have different cryptographic keys for different email streams. This ability to use multiple keys is fundamental to managing a modern, complex email infrastructure securely and efficiently.
Why use more than one DKIM selector?
The primary purpose of having multiple DKIM selectors is to enable the publication of more than one DKIM public key in your domain's DNS. This flexibility is crucial for several key reasons.
- Supporting Multiple Sending Platforms. Most companies don't send all their email from a single service. You might use Google Workspace for your corporate mail, a marketing platform for newsletters, and a separate service for transactional emails like password resets. Each of these services needs to sign emails with DKIM on your behalf, and each will require its own unique DKIM key. Using a different selector for each service (e.g., s1 for Google, k1 for your marketing tool) keeps them separate and organized.
- DKIM Key Rotation for Security. Key rotation is a critical security best practice. Regularly changing your DKIM keys limits the window of opportunity for an attacker if a key is ever compromised. Multiple selectors make this process seamless. You can introduce a new key with a new selector, test it, and then transition your mail flow to it. Once all mail is being signed with the new key, you can safely retire the old one, all without any interruption to your email delivery.
- Organizational and Departmental Segregation. Just as you use different services, you may want to use different DKIM signatures for different parts of your business. For example, the finance department's emails could be signed with one key, while the sales department uses another. This can help with internal tracking, reputation management, and isolating deliverability issues to a specific email stream.
How do multiple selectors work?
The process is straightforward and is handled automatically by mail servers. When an email is sent, the sending server adds a DKIM-Signature header to the message. This header contains several pieces of information, including the signing domain (d= tag) and, crucially, the selector (s= tag).
When a receiving server gets the email, it reads these tags. It then combines the selector and the domain to perform a DNS lookup for a TXT record at a specific address, which follows the format: selector._domainkey.yourdomain.com. This DNS record contains the public DKIM key. The server then uses this public key to verify that the email's signature is valid and that the message hasn't been tampered with in transit. If you have multiple services sending email, each will use its own unique selector in the header, directing the receiving server to the correct public key for verification.
Is using multiple DKIM selectors a good practice?
Absolutely. It is not just a good practice but an essential one for any organization that sends email through more than one channel or is serious about security. As explained by Skysnag, a DKIM selector allows an organization to publish multiple DKIM keys, which is vital when needs change.
By using multiple selectors, you gain the flexibility to manage different email streams independently, enhance your security posture through easy key rotation, and ensure your email authentication framework can scale with your business. Without them, you would be forced to use a single key for all sending services, creating a single point of failure and making key management a significant challenge.
Can a single DKIM private key be used for multiple selectors?
What is the purpose of the DKIM 'b=' tag?
Can a DKIM record have multiple 'k' tags?
Does a DKIM record's selector need to be unique per domain?
What is the purpose of the DKIM 'p=' tag in the public key record?
What is the function of the DKIM 'x' tag?
