What is a DKIM selector?

A DKIM selector is an identifier that allows multiple DKIM keys for one domain. The selector is part of the DKIM signature and tells receiving servers which DNS record contains the public key. Common selectors include 'google' for Google Workspace and 'selector1' for Microsoft 365.

What key size should I use for DKIM?

2048-bit RSA keys are recommended for DKIM. They provide good security while fitting within DNS TXT record limits. 1024-bit keys are the minimum acceptable but may become insecure, while 4096-bit keys may not fit in a single DNS record.

How do I find a domain's DKIM record?

DKIM records are stored at selector._domainkey.domain.com. You need to know the selector to look up the record. Check email headers from that domain for the 's=' tag to find the selector being used.

DKIM Record Email Auth

Q: What is a DKIM record?

A DKIM record is a DNS TXT record that publishes a public cryptographic key. Mail servers use this key to verify that emails were sent by an authorized server and haven't been tampered with during transit.

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorized server and hasn't been tampered with in transit. The public key used to verify these signatures is published in a DNS TXT record.

Look Up DKIM Records

Check DKIM records for any domain using our free DNS lookup tool.

Look Up DKIM Records →

What Is a DKIM Record?

A DKIM record publishes a public cryptographic key in DNS. When your mail server sends an email, it creates a digital signature using a private key. The receiving server retrieves the public key from your DKIM record to verify the signature.

If the signature is valid, the receiving server knows:

The email was sent by a server with access to the private key
The email headers and body haven't been modified
The domain in the signature matches the sending domain

DKIM Record Format

DKIM records are stored at a special subdomain combining the selector and "_domainkey":

selector._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIIBIjAN..."

DKIM record components:

Tag	Required	Description
`v=DKIM1`	Yes	DKIM version (must be "DKIM1")
`k=`	No	Key type (default: rsa, can be ed25519)
`p=`	Yes	Public key (base64 encoded)
`t=`	No	Flags (y=testing, s=strict)
`h=`	No	Hash algorithms (sha256)
`s=`	No	Service type (default: * for all)

Example DKIM Record

google._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1234..."

This DKIM record uses the selector "google" and contains an RSA public key for email verification.

Understanding DKIM Selectors

A selector is an identifier that allows multiple DKIM keys for one domain. This is useful for:

Multiple services — Different selectors for Gmail, SendGrid, Mailchimp, etc.
Key rotation — Deploy new keys without breaking existing signatures
Different departments — Separate keys for marketing vs. transactional email

Common Selector Examples

google._domainkey.example.com     → Google Workspace
s1._domainkey.example.com         → Generic selector 1
selector1._domainkey.example.com  → Microsoft 365
k1._domainkey.example.com         → Mailchimp
mail._domainkey.example.com       → Custom mail server

How DKIM Works

Signing — Your mail server creates a hash of the email content and signs it with the private key
Header addition — The signature is added to the email's "DKIM-Signature" header
DNS lookup — The receiving server extracts the selector and domain, then queries DNS for the public key
Verification — The receiver uses the public key to verify the signature matches the email content

DKIM Signature Header

When you receive a DKIM-signed email, the header looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=google;
  h=from:to:subject:date:message-id;
  bh=2jUSOH9NhtVGCQW...;
  b=dzdVyOfAKCdLXd...

Tag	Meaning
`v=1`	DKIM signature version
`a=rsa-sha256`	Signing algorithm
`c=relaxed/relaxed`	Canonicalization (header/body)
`d=example.com`	Signing domain
`s=google`	Selector (used to find DKIM record)
`h=`	Headers included in signature
`bh=`	Body hash
`b=`	Signature data

Setting Up DKIM

1. Generate Key Pair

Most email services provide DKIM keys automatically. For custom setups:

# Generate 2048-bit RSA key pair
openssl genrsa -out dkim.private 2048
openssl rsa -in dkim.private -pubout -out dkim.public

2. Publish DNS Record

Add the public key to DNS:

selector._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIIBIjAN..."

3. Configure Mail Server

Configure your mail server to sign outgoing messages with the private key.

DKIM Key Sizes

Key Size	Status	Notes
1024-bit	Minimum acceptable	May become insecure; upgrade recommended
2048-bit	Recommended	Good balance of security and compatibility
4096-bit	Maximum security	May not fit in single DNS TXT record

DKIM Best Practices

Use 2048-bit keys — Provides good security while fitting in DNS records.
Rotate keys periodically — Change keys every 6-12 months for security.
Use unique selectors per service — Makes troubleshooting easier and limits blast radius if compromised.
Keep private keys secure — Never share or expose your private key.
Test before enforcement — Use t=y flag during testing.
Implement DMARC — DKIM works best alongside SPF and DMARC.

Troubleshooting DKIM

Common issues and solutions:

DKIM verification failing — Check that the selector in the signature matches the DNS record name.
Record not found — Verify the complete record name: selector._domainkey.domain.com
Signature mismatch — Email may have been modified in transit, or there's a key mismatch.
Key too long for DNS — Split large keys across multiple strings in the TXT record.
Canonicalization issues — Try "relaxed" canonicalization if "simple" fails.

Check Your DKIM Records

Use our DNS Record Finder to look up and validate DKIM records for any domain.