What is a DKIM selector?

The selector is basically a label. It tells the receiving server which key to grab. You can publish more than one at a time, which is the whole trick behind rotating keys without breaking yesterday’s mail. The annoying part? Everybody names theirs differently. I’ve hit default, google, the selector1 / selector2 pair, k1, plus a heap of provider-specific ones that read like keyboard mashing. No standard anywhere. So you go hunting.

How to find your selector

• Start with your provider’s DNS setup docs. They nearly always name the selector outright, and that’s the fastest way in.
• Docs being vague? Open a message you’ve already sent and read its DKIM-Signature header. The s= value is your selector, sitting right there in plain sight.
• Same header gives you d=, the signing domain. Paste d= into the domain box and s= into the selector box. That’s it.

FAQ

Why does my DKIM lookup return no record?

Wrong selector. That’s the answer most of the time, so try a couple of others before you panic. Maybe it’s just me, but I’d bet the record was never actually published, or DNS hasn’t propagated yet and you’re staring at a void that’ll fill in an hour. Some providers also stash the key under a hostname you’d never guess in a hundred years. When in doubt, go grab the s= value off a real email and trust that over whatever you typed from memory.

Does DKIM replace SPF?

No. You want both. SPF says which servers are allowed to send for your domain. DKIM proves the message wasn’t tampered with on the way over. Two different jobs, really, and they don’t overlap much. DMARC sits on top, ties the pair together, and tells receivers what to do when one of them fails. I’d run all three.