How to find a DKIM selector

DKIM records are not usually published at the bare domain. They live under selector-based names such as selector._domainkey.example.com, so a useful DKIM check starts by finding the selector used by the sender.

Check public sender-readiness records

Run a domain scan, then use a real signed message or provider settings to confirm the DKIM selector.

01$0Free scan

Check the public sender-auth records mailbox providers expect.

02$0Shareable action plan

Keep one URL with evidence, owner steps, and decisions.

03$49$49 fix plan

Add human review, provider context, and verification steps.

Optional. Most first scans can run with just the domain.

Checks Gmail, Yahoo, and Microsoft sender requirementsPublic DNS onlyNo mailbox login needed

Example result72/100Needs attention

Review DMARC policy strength before a high-volume send.

Public DNS evidence: DMARC/SPF/DKIM status and caveats are visible before you pay.
Owner-ready next step: The audit adds provider context and a verification checklist.

Get the exact fix plan for your domain.$49 readiness audit: prioritized owner actions, DNS evidence, and verification checks.

Get my $49 fix plan View sample

Sender readiness cockpitExample action plan

Public DNS workspace

Overall sender readiness

72/100

Needs attention

Sample output: one warning and one fail mean this domain is not campaign-ready yet.

DMARCPass

SPFPass

DKIMPass

MXPass

BIMIWarning

MTA-STSFail

Fix workspace preview

The scan becomes a focused work surface: evidence, owner action, verification, and the paid context a public lookup cannot infer.

HighDMARC

Review DMARC policy strength before a high-volume send.

Evidence: Evidence: a monitoring-only policy can satisfy visibility needs, but enforcement requires aligned legitimate senders.
Verify after change: Re-scan _dmarc after DNS propagation and confirm aligned SPF or DKIM senders before enforcement.
Paid audit adds: Policy sequence, starter record review, alignment questions, and enforcement caveats.

Get my fix plan

Find the selector in a message header

Open the full headers of a message sent by the platform you want to check. Look for a DKIM-Signature header. RFC 6376 describes selector information as the s= tag and the signing domain as the d= tag.

If the header contains s=google and d=example.com, the matching public key is usually queried at google._domainkey.example.com. Your selector and signing domain may be different.

Find the selector in the sending platform

Google Workspace DKIM settings show the selector and DNS value generated for the domain.
Microsoft 365 and other hosted mail tools provide tenant-specific DKIM DNS targets.
Email service providers often list one or two CNAME or TXT records under authentication settings.
Marketing and support tools may sign with their own domain until custom DKIM is enabled.

Do not infer a selector from another company or another tenant. DKIM values are provider-specific and often domain-specific.

Check the DNS name

Once you have the selector and signing domain, query the selector hostname. DKIM keys are commonly published as TXT records, while some hosted platforms ask you to publish CNAME records that point to provider-managed keys.

A DNS record at the selector host is only one part of the review. To confirm the message passed DKIM, inspect authentication results or verify the signed message with the public key.

Review DMARC alignment too

DMARC cares whether authenticated SPF or DKIM aligns with the visible From domain. A message can have a DKIM signature but still miss DMARC alignment if the d=domain does not align with the From domain under the domain owner's DMARC policy.

DKIM selector FAQ

What is a DKIM selector?

A selector is the value in the s= tag of a DKIM-Signature header. It tells receivers which selector-specific DNS name to query for the public key.

Can a domain have more than one DKIM selector?

Yes. Different platforms, key rotations, or mail streams can use different selectors. Check the actual signed message or the sending platform settings instead of assuming one default selector.

Does finding a selector prove DKIM passes?

No. The selector helps locate the public key. A full DKIM check also verifies the signature, signed headers, body hash, key record, and whether the signing domain aligns for DMARC.

Need help turning headers into next steps?

SenderReady readiness audits summarize public DNS findings and related authentication checks. They can support a DKIM review, but they do not replace a platform admin, provider support, or full message-header analysis.

View audit options