Choosing a DKIM Selector and Publishing the Public Key
Learn what a DKIM selector is, where to publish the DKIM public key, how to avoid common DNS mistakes, and how to rotate DKIM keys safely.
Introduction
A DKIM selector tells receiving mail servers where to find the public key used to verify a DKIM signature. When your email provider signs outgoing mail, it includes a selector in the message header. Receivers use that selector to look up the matching DKIM TXT record in DNS.
Most DKIM setup problems happen because the public key is published under the wrong hostname, copied incompletely, added at the wrong DNS provider, or not activated inside the mail platform after DNS is updated.
Quick answer
A DKIM selector is the label before _domainkey in a DKIM DNS hostname. For example, if the selector is default, the public key is usually published at default._domainkey.example.com. Use the selector and TXT value generated by your email provider, then verify it with a DKIM checker.
DKIM selector
A DKIM selector is a short label that identifies which DKIM key should be used for verification.
default
default._domainkey.example.com
This lets a domain publish multiple DKIM keys for different providers, key rotations or sending systems.
You usually do not invent the selector yourself. Your email provider normally gives you the selector and DNS value.
DKIM hostname format
A DKIM public key is published as a TXT record under a hostname that follows this pattern:
selector._domainkey.yourdomain.com
default._domainkey.example.com
google._domainkey.example.com
selector1._domainkey.example.com
k1._domainkey.example.com
The selector must match the selector used by the sending provider. If the selector is wrong, receiving servers will not find the correct public key.
Public vs private key
Public key
- Published in DNS
- Visible to receivers
- Used to verify DKIM signatures
- Safe to publish because it is public
v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE
Private key
- Kept by the sending provider
- Used to sign outgoing email
- Must not be published in DNS
- Usually managed automatically by the provider
Managed by email provider
If a provider gives you a DKIM TXT record, it is the public key, not the private key.
How to publish DKIM
-
1. Open DKIM settings in your email provider
Find the DKIM/authentication area for Google Workspace, Microsoft 365, Zoho, hosting mail, SMTP service or transactional provider.
-
2. Copy the selector
Examples include default, google, selector1, selector2, k1, s1 or provider-specific labels.
-
3. Copy the TXT value
The value usually starts with v=DKIM1 and contains a long p= public key.
-
4. Confirm active DNS provider
Check nameservers and make sure you edit the live DNS zone.
-
5. Add the TXT record
Publish it at selector._domainkey.yourdomain.com.
-
6. Wait for DNS visibility
Allow DNS to update, then check the selector publicly.
-
7. Enable or verify DKIM signing
Some providers require clicking “Start authentication”, “Verify”, or “Enable signing” after DNS is detected.
Why this matters
This matters because DKIM verification depends on an exact match between the selector in the email header and the public key published in DNS. If the selector hostname is wrong, the public key is incomplete, or the record is added at an inactive DNS provider, DKIM can fail even if the mail provider is configured correctly.
A correct DKIM record also helps DMARC pass when DKIM aligns with the visible From domain.
How to check a selector
Use DKIM Checker to test the exact selector and domain given by your email provider.
When checking a DKIM selector, review
These six checks help confirm the selector and public key are published correctly.
Selector
The selector should match your provider settings.
Domain
The domain should match the sending domain.
Hostname
The full hostname should look like selector._domainkey.example.com.
TXT value
The record should contain the complete DKIM public key.
Active DNS provider
The record must be added where the active nameservers point.
Signing status
After DNS is correct, confirm the provider is signing outgoing mail.
Check DKIM selector now
Use DKIM Checker to verify your selector, public key and DNS hostname.
Common problems
Selector published at the wrong hostname
HighThe DKIM TXT record was added at the root domain or wrong subdomain instead of selector._domainkey.example.com.
Next step: Move the record to the exact hostname provided by the email provider.
Wrong selector used
HighThe checker or receiver is looking for one selector, but the provider signs with another.
Next step: Confirm the active selector in the provider dashboard or message headers.
Public key is truncated
HighThe DKIM TXT value is incomplete because the long key was not copied or saved correctly.
Next step: Copy the full value again and verify public DNS output.
Record added at inactive DNS provider
MediumThe DKIM record was added in a DNS zone that is not authoritative for the domain.
Next step: Check active nameservers and add the record at the live DNS provider.
DNS record exists but signing is not enabled
MediumThe public key is visible, but the mail platform is not signing outgoing messages.
Next step: Enable DKIM signing in the provider dashboard.
Multiple providers use different selectors
LowSeveral selectors can exist, but each provider must use its own correct selector.
Next step: Keep provider selectors documented and do not delete active records.
Old selector deleted too early
MediumDuring key rotation, old messages or active signing may still depend on the old selector.
Next step: Keep old selectors until the new key is active and mail is verified.
How to fix issues
-
Step 1: Find the provider’s active selector
Check your mail provider settings or inspect message headers from a sent email.
-
Step 2: Confirm the correct hostname
The DKIM hostname should follow selector._domainkey.yourdomain.com.
-
Step 3: Copy the full public key
Make sure the TXT value includes the complete p= key and any required DKIM tags.
-
Step 4: Publish at the active DNS provider
Use nameserver checks to confirm where the live DNS zone is hosted.
-
Step 5: Verify public DNS
Run DKIM Checker or DNS Lookup to confirm the selector returns the expected TXT record.
-
Step 6: Enable signing
Activate DKIM signing in the mail provider dashboard if required.
-
Step 7: Send and inspect a test email
Check the message headers to confirm DKIM passes.
Multiple selectors
Yes. A domain can publish multiple DKIM selectors at the same time.
This is common when:
- Using multiple email providers
- Rotating DKIM keys
- Separating marketing and transactional mail
- Migrating from one provider to another
- Using Google and Microsoft during transition
- Testing a new DKIM key before removing an old one
Multiple selectors are normal. The important part is that each sending provider signs with a selector that exists in DNS.
DKIM key rotation
DKIM key rotation means replacing an old DKIM key with a new one. This is usually done for security or provider policy reasons.
- Generate a new DKIM key in the provider.
- Publish the new selector in DNS.
- Wait until the new key is visible.
- Enable signing with the new selector.
- Send test messages and confirm DKIM passes.
- Remove the old selector only after it is no longer used.
Do not delete the old DKIM record before the new selector is active and verified.
default
default._domainkey.example.com
v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE
google._domainkey.example.com
selector1._domainkey.example.com
selector2._domainkey.example.com
dig default._domainkey.example.com TXT
dig google._domainkey.example.com TXT
dig selector1._domainkey.example.com TXT
These examples are illustrative. Use the exact selector and TXT value from your email provider.
Frequently asked questions
Do I choose the DKIM selector myself?
Usually no. Most email providers generate the selector and public key for you.
Where do I publish the DKIM public key?
Publish it as a TXT record at selector._domainkey.yourdomain.com.
Can I have multiple DKIM selectors?
Yes. Multiple selectors are normal when using multiple providers or rotating keys.
Why is my DKIM selector not found?
Common causes include wrong hostname, inactive DNS provider, DNS propagation delay or a selector mismatch.
Can I delete old DKIM selectors?
Only after confirming they are no longer used by any sending provider.
Does publishing the public key enable DKIM automatically?
Not always. Some providers require you to verify the DNS record and enable signing separately.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!