3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

DKIM Selector

An arbitrary label that lets a domain publish multiple DKIM keys at once, each at a separate DNS hostname.

Definition

A DKIM selector is the arbitrary label that identifies which public key to use to verify a DKIM signature. It appears in the s= tag of the DKIM-Signature header and is used by the receiver to locate the corresponding public key in DNS at <selector>._domainkey.<domain>. Selectors are arbitrary — any string that's a valid DNS label will do — but they are critical to two operational realities of email authentication: key rotation and multi-ESP setups.

How it works

Selectors solve a versioning problem. Without them, a domain could only publish one DKIM key at a time, and rotating keys would mean a coordinated cutover where every in-flight message either signed with the old key or the new one. With selectors, a domain can publish multiple keys at different selector names, and the sending infrastructure picks which selector to sign with. Rolling a new key becomes straightforward: publish the new public key at a new selector (e.g. s2024-q1._domainkey.example.com), switch sending to that selector, then leave the old key published until any in-flight signed mail has been delivered, and finally remove the old DNS record.

Selectors also enable multiple ESPs to sign for the same domain simultaneously. SendGrid might sign with s=s1, Google Workspace with s=google, and Mailchimp with s=k1, all on the same From domain. Each ESP publishes its public key at its own selector, and receivers use the s= tag in the signature to find the right one. There is no theoretical limit to the number of active selectors a domain can have, though practical deployments rarely exceed a handful.

Example

A domain using two ESPs simultaneously publishes two DKIM keys:

s1._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=<sendgrid-public-key>"
google._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=<google-public-key>"

SendGrid signs outbound messages with DKIM-Signature: ...; s=s1; d=example.com; .... Google Workspace signs with s=google. The receiver uses the s= tag to find the right public key for verification.

Related Terms

DKIM A cryptographic signature attached to outbound email that proves the message was authorise... DMARC Alignment The check that requires the SPF or DKIM domain to match the visible From header domain in...

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial