Summary
Understanding why a DKIM validation tool like Dmarcian might not find your DKIM records, even when your email service provider (ESP) such as HubSpot confirms a successful setup, often comes down to a single, crucial piece of information: the DKIM selector. DKIM selectors are unique identifiers that help receiving mail servers locate the correct public key in your DNS to verify an email's authenticity. Without providing the specific selector, many external validation tools cannot accurately query your DNS for the corresponding DKIM record, leading to perceived 'failures' even if everything is correctly configured. This page will guide you through finding this essential selector and clarifying common misconceptions.
Key findings
- Selector necessity: Many DKIM validation tools, including Dmarcian, require the specific DKIM selector to successfully locate and verify your domain's DKIM record. They cannot simply guess it due to the wide variety of possible selectors.
- HubSpot guidance: HubSpot (and other ESPs) will provide the necessary DKIM records, including the selector, during the setup process. This information is typically found within the domain authentication or email sending settings.
- DNS location: The DKIM selector is generally the string of characters located immediately to the left of ._domainkey in your DNS TXT record for DKIM.
- Email header verification: For emails you have already sent, the DKIM selector can be found within the email's raw headers, identified by the s= tag in the DKIM-Signature header field.
Key considerations
- Matching details: Always ensure the selector you provide to a validation tool exactly matches what is published in your DNS and provided by your ESP. Even minor discrepancies can cause failures.
- Provider-specific selectors: Different ESPs may use different naming conventions for their DKIM selectors. HubSpot often uses specific names you should adhere to. For more about this, read our guide on common DKIM selectors and how to use them.
- DMARC reports: DMARC reports provide comprehensive data on your email authentication status, including DKIM validation. Analyzing these reports can help confirm if your DKIM is correctly aligned and functioning. You can learn more about this by reading about how to read a DMARC report.
- Troubleshooting: If a tool still can't find your DKIM record with the correct selector, check for DNS propagation delays or typos in your DNS record. Understanding how to find a DKIM record without a selector can also be helpful for initial diagnosis.
What email marketers say
Email marketers frequently encounter challenges when configuring and verifying DKIM. A common scenario is where an email service provider (ESP) indicates successful DKIM setup, yet external tools report no record found. This discrepancy often leads to confusion, highlighting the need for clearer instructions on identifying and using the specific DKIM selector required by third-party validators. Marketers emphasize the importance of straightforward processes to ensure their emails are properly authenticated and reach the inbox, without getting caught in spam or blocklists.
Key opinions
- HubSpot's confirmation: Marketers appreciate HubSpot's indication of successful DKIM setup, but note that this doesn't automatically mean external checkers will find the record without the selector.
- Selector discoverability: There's a shared need for clearer guidance from ESPs on where to locate the specific DKIM selector provided during setup.
- DNS record insight: Many marketers learn through experience that the selector is the string preceding ._domainkey in the DKIM DNS record.
- Header alternative: Looking at email headers for the s= value is considered a reliable backup method when other options fail.
Key considerations
- Dependency on ESPs: Marketers often rely heavily on their ESPs for correct DKIM setup. Ensuring these providers clearly communicate selector details is crucial. Consider how to sign DKIM on a sender domain that isn't the primary domain in HubSpot if you face issues.
- Verification process: Integrate selector identification into your DKIM verification checklist to ensure comprehensive authentication. Understanding what is a DKIM signature can further clarify its role.
- Impact on deliverability: Correct DKIM configuration is vital for email deliverability. A mismatch or absence of the selector can lead to emails landing in spam or being blocklisted.
- Troubleshooting tools: Marketers frequently use third-party tools to help locate selectors when traditional methods are cumbersome, especially when emails aren't going out. Refer to our guide on troubleshooting DMARC failures.
Marketer view
Email marketer from Email Geeks describes the difficulty of understanding why Dmarcian couldn’t find any DKIM records on their domain, despite HubSpot providing a positive confirmation. This highlights a common point of confusion for users navigating different authentication tools.
Marketer view
Email marketer from WebmasterWorld notes that configuring DKIM selectors correctly is a frequent point of confusion, especially when migrating email services or integrating new platforms. This often leads to unexpected deliverability issues.
What the experts say
Email deliverability experts highlight that DKIM selectors are fundamentally arbitrary and cannot be universally predicted by authentication tools. This inherent variability means that for a tool like Dmarcian to verify a DKIM record, it must be provided with the exact selector used by the sending domain. Experts emphasize that the selector is clearly defined within the domain's DNS TXT record or can be extracted from the email's headers, offering clear pathways for troubleshooting when automated checks fall short.
Key opinions
- Selector variability: Experts confirm that there's an 'infinite possibility' of DKIM selectors, making it impossible for validation tools to know them all without specific input.
- Input requirement: DKIM tools typically require users to either send a test email or provide the exact selector for proper querying and testing of the record.
- DNS identification: The selector is explicitly found as the word located to the left of ._domainkey in the DKIM DNS TXT record.
- Header extraction: An alternative method for finding the selector is by examining the s= value within the DKIM signature in an email's headers.
- Limited auto-discovery: While some tools attempt to try common selectors, their effectiveness is limited to those they are programmed to recognize, emphasizing the need for manual input when auto-discovery fails.
Key considerations
- Accurate configuration: Ensuring the DKIM selector is correctly published in your DNS is paramount for effective email authentication. Incorrect setup can lead to DMARC failures and impact deliverability.
- Provider integration: When setting up DKIM with ESPs like HubSpot, pay close attention to the specific selector names or formats they provide. This is especially true if you are handling Salesforce DMARC, DKIM, and SPF Configuration.
- DKIM alignment: The selector plays a crucial role in DKIM alignment, which is a key component of DMARC. Understanding how to fix DKIM from domain mismatch is essential for maintaining strong email authentication.
- Key rotation: When performing DKIM key rotation, new selectors are often generated. These must be correctly updated in DNS to ensure continuous email authentication and avoid reputation issues. Learn more about how changing DKIM selectors impacts email reputation.
Expert view
Expert from Email Geeks explains that there's an infinite possibility of DKIM selectors, which means that DKIM verification tools cannot possibly know every single one. This necessitates the user providing the selector to the tool for accurate testing and validation.
Expert view
Deliverability consultant from SpamResource emphasizes that proper DKIM configuration, including the correct selector, is fundamental for robust email authentication. This prevents emails from being flagged as spam or landing on a blocklist, ensuring strong deliverability.
What the documentation says
Official documentation from various email service providers, internet standards bodies, and DMARC organizations consistently outlines the role and structure of the DKIM selector. These resources provide precise instructions on how ESPs generate and present DKIM records, emphasizing the selector's position within the DNS TXT record. Furthermore, documentation clarifies how DKIM authentication, facilitated by the selector, integrates with DMARC to enhance email security and combat spoofing, providing a technical blueprint for proper implementation.
Key findings
- Standardized definition: RFC 6376 clearly defines the 's=' tag for the selector, which specifies the name of the DKIM key record in DNS, allowing for multiple keys per domain.
- ESP instructions: Documentation from ESPs like HubSpot and Microsoft 365 provides specific selector names and detailed instructions for their inclusion in DNS records during DKIM setup.
- DNS record format: Technical guides illustrate the structure of the DKIM TXT record, explicitly showing the selector as the hostname or name portion of the DNS entry.
- DMARC integration: Documentation confirms that for DMARC authentication to pass via DKIM, the domain in the d= tag must align with the RFC5322.From domain, and the selector (s=) must correctly point to the public key.
Key considerations
- Adherence to guidelines: Always follow the specific DKIM setup guides provided by your email service provider, as selectors and key formats can vary. This ensures compliance with their system requirements.
- Exact matching: Documentation stresses the importance of entering the DKIM selector precisely as provided, as any deviation will result in authentication failures. Refer to how DKIM selector names should be interpreted.
- DNS propagation: Be aware of DNS propagation times after publishing or updating DKIM records. External tools might not immediately reflect changes until propagation is complete. You can also review Sean the Geek's guide to demystifying DMARC.
- Comprehensive setup: DKIM is part of a broader email authentication ecosystem, including SPF and DMARC. Ensure all components are correctly configured for optimal deliverability. Read a simple guide to DMARC, SPF, and DKIM.
Technical article
RFC 6376, section 3.1, states that the 'selector' tag, s=, is used to specify the name of the DKIM key record published in the DNS. This design allows for the management of multiple DKIM keys per sending domain, offering flexibility for different sending purposes or key rotation strategies.
Technical article
DMARC.org documentation advises that DMARC authentication requires either SPF or DKIM to pass alignment for a message to be considered legitimate. For DKIM, it explicitly states that the d= tag in the signature must align with the RFC5322.From domain, and the selector (s=) must correctly point to a valid public key in DNS.
Related resources
4 resources
Related pages
How to find domainGUID and initialDomain for DKIM setup with custom domains in Office 365?
Is it problematic to use the same DKIM domain and selector for multiple email campaigns, and why do validation tools sometimes show errors for valid DKIM records?
How to fix DKIM from domain mismatch and understand DMARC risks?
How does changing DKIM selectors impact email reputation and what are the best practices for key rotation?
How to find DKIM record without selector?
How do I sign DKIM on a sender domain that isn't the primary domain while using Hubspot?
How should DKIM selector names be interpreted and what is the recommended DKIM key size?
A practical guide to DKIM selector name examples
A list of the most common DKIM selectors and how to use them
A simple guide to DMARC, SPF, and DKIM
