reference

How to Find and Test a DKIM Selector

Find a DKIM selector in message headers or provider settings, query the correct DNS name, and diagnose missing, revoked, or weak keys.

A DKIM selector is the value of the s= tag in a message’s DKIM-Signature header. Combine it with the signing domain from d= to query selector._domainkey.signing-domain. Selectors cannot be enumerated reliably from DNS, so a tester needs a real message, provider configuration, or known selector.

Find the selector

Open the original/raw message headers and locate a line like:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; ...

The DNS name is selector1._domainkey.example.com. Provider dashboards often list the same record during domain verification. Some providers use CNAME records at that name, so follow the CNAME to its TXT key.

Query with:

dig +short TXT selector1._domainkey.example.com
dig +short CNAME selector1._domainkey.example.com

A typical public key record begins v=DKIM1; k=rsa; p=.... An empty p= means the key is revoked. A missing answer can mean the selector is wrong, DNS has not propagated, or the signing domain differs from the visible From domain.

Test more than existence

Verify that the TXT record is syntactically valid, the algorithm is supported, the public key is not revoked, and the key is appropriately sized. Then validate a real message signature: DNS presence alone does not prove the sender is signing correctly or that the d= domain aligns for DMARC.

Selectors rotate. Keep the old public key published while messages signed with it may still be in transit, and monitor both old and new selectors during the transition. DMARC aggregate data is especially useful for learning which selectors are active.

Reference

RFC 6376 defines DKIM signatures and selector-based key lookup. RFC 8301 updates cryptographic recommendations and RSA key-size requirements.

Enter the selector in the checker’s advanced field below to test it directly.

Check a domain for free

Audit email authentication, TLS, HSTS, and security headers. No signup required.

Know your DKIM selector?
Checking the domain's records…