Finding a DKIM selector
A DKIM selector is not discoverable from DNS. There is no record that enumerates a domain's selectors, by design: the selector is part of the lookup key, not something you can query for. You learn it in one of three ways — read the s= value from the DKIM-Signature header of a message the domain actually sent, read your provider's documentation, or probe a list of well-known selectors and see which resolve.
Why there is no lookup
DKIM keys live at <selector>._domainkey.<domain>. To fetch the key you
must already know the selector — and DNS has no operation for "list the names under this node".
That is not an oversight. A domain can rotate keys by publishing a new selector and switching to
it, with no coordination and no announcement, precisely because nobody can enumerate them.
google._domainkey.example.com ← Google Workspace selector1._domainkey.example.com ← Microsoft 365 s1._domainkey.example.com ← SendGrid
The three ways to actually get it
- From a message header — the reliable one. Open any mail the domain sent, view
the raw source, find
DKIM-Signature:, read thes=tag. In Gmail that is ⋮ → "Show original". This is authoritative: it is the selector they signed with. - From the provider's docs. Each ESP has a fixed convention, and their setup guide names it.
- By probing common selectors. Query the well-known list and see what resolves. This is what our checker does when you have not supplied one.
Check a selector
Leave the selector blank and we will probe the common ones.
What we report when we find one
- That the record parses and carries a public key.
- The key algorithm and modulus size. 1024-bit RSA is still extremely common and still accepted; 2048-bit is the sensible target. Below 1024 is a genuine problem.
t=y(testing mode) — worth knowing, because a signature in testing mode is not meant to be enforced against, and people leave it on for years after go-live.
Frequently asked
How do I find a domain's DKIM selector?
Read the DKIM-Signature header of an email the domain sent — the s= value is the selector. If you cannot get a message, check the sending provider's documentation, since each ESP uses predictable selectors (Google uses google, Microsoft uses selector1 and selector2, SendGrid uses s1 and s2). There is no DNS query that lists a domain's selectors.
Why can't a checker find my DKIM record?
Because DKIM records live at selector._domainkey.example.com, and a checker that has not been told the selector has to guess it. If your provider uses an unusual selector, a probe of common names will miss it. This does not mean DKIM is broken — it means it was not found. Those are different claims, and any tool that reports the first when it means the second is misleading you.
What are the common DKIM selectors?
google (Google Workspace); selector1 and selector2 (Microsoft 365); s1 and s2 (SendGrid); k1 (Mailchimp/Mandrill); mandrill; dkim; smtp; mail; zoho; pm (Postmark); mte1 (Mailgun-style). Probing these finds most real-world domains, but a miss proves nothing.
Related
- SPF vs DKIM vs DMARC — Three records, three different jobs.
- DMARC aggregate reports, and how to actually read one — The rua tag gets you XML reports from receivers showing who is sending as your domain.
- Setting up email authentication, in the right order — A working sequence for SPF, DKIM and DMARC that doesn't reject your own mail on the way.
Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.