Find the DKIM selector evidence your audit needs

Q: What does the s= value mean?

The s= tag in a DKIM-Signature header is the selector. Combine it with the signing domain to locate the public key in DNS.

Run a domain scan that checks common DKIM selectors, then use the result as a handoff for each sender. Public DNS can find useful clues, but the reliable selector comes from provider settings or a signed message header.

Run selector-aware DKIM scan Request $49 audit

Run a DKIM selector-aware scan

Start with the domain. If you know a selector from the provider UI or a DKIM-Signature header, add it before scanning so the report checks that exact public key.

01$0Free scan

Check the public sender-auth records mailbox providers expect.

02$0Shareable action plan

Keep one URL with evidence, owner steps, and decisions.

03$49$49 fix plan

Add human review, provider context, and verification steps.

Optional. Most first scans can run with just the domain.

Checks Gmail, Yahoo, and Microsoft sender requirementsPublic DNS onlyNo mailbox login needed

Example result72/100Needs attention

Review DMARC policy strength before a high-volume send.

Public DNS evidence: DMARC/SPF/DKIM status and caveats are visible before you pay.
Owner-ready next step: The audit adds provider context and a verification checklist.

Get the exact fix plan for your domain.$49 readiness audit: prioritized owner actions, DNS evidence, and verification checks.

Get my $49 fix plan View sample

Sender readiness cockpitExample action plan

Public DNS workspace

Overall sender readiness

72/100

Needs attention

Sample output: one warning and one fail mean this domain is not campaign-ready yet.

DMARCPass

SPFPass

DKIMPass

MXPass

BIMIWarning

MTA-STSFail

Fix workspace preview

The scan becomes a focused work surface: evidence, owner action, verification, and the paid context a public lookup cannot infer.

HighDMARC

Review DMARC policy strength before a high-volume send.

Evidence: Evidence: a monitoring-only policy can satisfy visibility needs, but enforcement requires aligned legitimate senders.
Verify after change: Re-scan _dmarc after DNS propagation and confirm aligned SPF or DKIM senders before enforcement.
Paid audit adds: Policy sequence, starter record review, alignment questions, and enforcement caveats.

Get my fix plan

How to use selector evidence

DKIM public keys live at selector-specific DNS names such as google._domainkey.example.com. A finder can try common selector names, but it cannot prove the selector used by a real message unless you provide the selector from the s= tag in the DKIM-Signature header or from the sending platform.

For the paid audit, selector evidence helps separate real sender gaps from public-DNS uncertainty. Send the active platforms, the selectors each platform shows, and one signed sample message when possible.

Selector clues to collect

Google Workspacegoogle by default

Google lets admins choose a DKIM prefix selector; the default is usually google.

Microsoft 365selector1 / selector2 CNAMEs

Microsoft uses two selector records for custom-domain DKIM signing and key rotation.

Marketing and support toolss1, s2, k1, pm, sendgrid, mandrill

Third-party platforms vary. Use the account UI or a signed sample message as the authority.

DKIM selector finder FAQ

Can you find every DKIM selector automatically?

No. SenderReady checks common public selector names, but the exact active selector should come from provider settings or a signed message header.

What does the s= value mean?

The s= tag in a DKIM-Signature header is the selector. Combine it with the signing domain to locate the public key in DNS.

Why does this matter for DMARC?

DMARC can pass through aligned DKIM. If the wrong selector or signing domain is reviewed, a team can miss a real alignment gap before a major send.