Finding a DKIM selector

A DKIM selector is not discoverable from DNS. There is no record that enumerates a domain's selectors, by design: the selector is part of the lookup key, not something you can query for. You learn it in one of three ways — read the s= value from the DKIM-Signature header of a message the domain actually sent, read your provider's documentation, or probe a list of well-known selectors and see which resolve.

Updated July 14, 2026 · DKIM

Why there is no lookup

DKIM keys live at <selector>._domainkey.<domain>. To fetch the key you must already know the selector — and DNS has no operation for "list the names under this node". That is not an oversight. A domain can rotate keys by publishing a new selector and switching to it, with no coordination and no announcement, precisely because nobody can enumerate them.

google._domainkey.example.com     ← Google Workspace
selector1._domainkey.example.com  ← Microsoft 365
s1._domainkey.example.com         ← SendGrid

The three ways to actually get it

  1. From a message header — the reliable one. Open any mail the domain sent, view the raw source, find DKIM-Signature:, read the s= tag. In Gmail that is ⋮ → "Show original". This is authoritative: it is the selector they signed with.
  2. From the provider's docs. Each ESP has a fixed convention, and their setup guide names it.
  3. By probing common selectors. Query the well-known list and see what resolves. This is what our checker does when you have not supplied one.
Absence is not evidence. A probe that finds nothing has established exactly one fact: none of the selectors we tried resolved. It has not established that the domain lacks DKIM. This is why a DKIM probe miss never reduces the score we report — a tool that grades you down for something it cannot prove is not a diagnostic, it is a guess with confidence. If you know your selector, pass it explicitly and get a real answer.

Check a selector

Leave the selector blank and we will probe the common ones.

What we report when we find one

Frequently asked

How do I find a domain's DKIM selector?

Read the DKIM-Signature header of an email the domain sent — the s= value is the selector. If you cannot get a message, check the sending provider's documentation, since each ESP uses predictable selectors (Google uses google, Microsoft uses selector1 and selector2, SendGrid uses s1 and s2). There is no DNS query that lists a domain's selectors.

Why can't a checker find my DKIM record?

Because DKIM records live at selector._domainkey.example.com, and a checker that has not been told the selector has to guess it. If your provider uses an unusual selector, a probe of common names will miss it. This does not mean DKIM is broken — it means it was not found. Those are different claims, and any tool that reports the first when it means the second is misleading you.

What are the common DKIM selectors?

google (Google Workspace); selector1 and selector2 (Microsoft 365); s1 and s2 (SendGrid); k1 (Mailchimp/Mandrill); mandrill; dkim; smtp; mail; zoho; pm (Postmark); mte1 (Mailgun-style). Probing these finds most real-world domains, but a miss proves nothing.

Related

Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.