DKIM (DomainKeys Identified Mail) is an email authentication standard that uses public-key cryptography to verify that a message was sent and authorised by the owner of the domain. When your mail server sends a message, it adds a digital signature in the email header. The receiving server then fetches your DKIM public key from DNS and uses it to verify the signature, confirming the message has not been altered in transit.
What is a DKIM selector?
A DKIM selector is a label that identifies which public key to use for verification. Because a domain can have multiple DKIM keys (for example, one per sending service), the selector is included in the email signature header so the receiving server knows exactly which DNS record to fetch. The DKIM record is published at the DNS name: selector._domainkey.yourdomain.com.
How do I find my DKIM selector?
The easiest way to find your DKIM selector is to look at the headers of an email your domain has already sent. Open the raw message headers and search for "DKIM-Signature". Within that header you will see a tag "s=" followed by your selector name. Common selectors include "default", "google", "mail", "k1", or "s1". Your email provider's documentation will also list the selector they use.
Should I use a 1024-bit or 2048-bit DKIM key?
2048-bit keys are the current best practice and are recommended by Google, Microsoft, and most email security guidelines. A 1024-bit RSA key is considered weak by modern cryptographic standards and should be upgraded if possible. Some older DNS providers or mail systems may not support keys longer than 1024 bits due to DNS packet size limitations, but this is increasingly rare. If you are setting up DKIM for the first time, always choose 2048 bits.
🌍
It looks like you're browsing from your region
Would you like to switch to a site tailored for your location?