Choosing a DKIM Selector and Publishing the Public Key

Learn what a DKIM selector is, where to publish the DKIM public key, how to avoid common DNS mistakes, and how to rotate DKIM keys safely.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

A DKIM selector tells receiving mail servers where to find the public key used to verify a DKIM signature. When your email provider signs outgoing mail, it includes a selector in the message header. Receivers use that selector to look up the matching DKIM TXT record in DNS.

Most DKIM setup problems happen because the public key is published under the wrong hostname, copied incompletely, added at the wrong DNS provider, or not activated inside the mail platform after DNS is updated.

Quick answer

Quick answer

A DKIM selector is the label before _domainkey in a DKIM DNS hostname. For example, if the selector is default, the public key is usually published at default._domainkey.example.com. Use the selector and TXT value generated by your email provider, then verify it with a DKIM checker.

DKIM selector

A DKIM selector is a short label that identifies which DKIM key should be used for verification.

Selector
default
DKIM hostname
default._domainkey.example.com

This lets a domain publish multiple DKIM keys for different providers, key rotations or sending systems.

You usually do not invent the selector yourself. Your email provider normally gives you the selector and DNS value.

DKIM hostname format

A DKIM public key is published as a TXT record under a hostname that follows this pattern:

Hostname pattern
selector._domainkey.yourdomain.com
Examples
default._domainkey.example.com
google._domainkey.example.com
selector1._domainkey.example.com
k1._domainkey.example.com

The selector must match the selector used by the sending provider. If the selector is wrong, receiving servers will not find the correct public key.

Public vs private key

Public key

  • Published in DNS
  • Visible to receivers
  • Used to verify DKIM signatures
  • Safe to publish because it is public

v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE

Private key

  • Kept by the sending provider
  • Used to sign outgoing email
  • Must not be published in DNS
  • Usually managed automatically by the provider

Managed by email provider

If a provider gives you a DKIM TXT record, it is the public key, not the private key.

How to publish DKIM

  1. 1. Open DKIM settings in your email provider

    Find the DKIM/authentication area for Google Workspace, Microsoft 365, Zoho, hosting mail, SMTP service or transactional provider.

  2. 2. Copy the selector

    Examples include default, google, selector1, selector2, k1, s1 or provider-specific labels.

  3. 3. Copy the TXT value

    The value usually starts with v=DKIM1 and contains a long p= public key.

  4. 4. Confirm active DNS provider

    Check nameservers and make sure you edit the live DNS zone.

  5. 5. Add the TXT record

    Publish it at selector._domainkey.yourdomain.com.

  6. 6. Wait for DNS visibility

    Allow DNS to update, then check the selector publicly.

  7. 7. Enable or verify DKIM signing

    Some providers require clicking “Start authentication”, “Verify”, or “Enable signing” after DNS is detected.

Why this matters

Why this matters

This matters because DKIM verification depends on an exact match between the selector in the email header and the public key published in DNS. If the selector hostname is wrong, the public key is incomplete, or the record is added at an inactive DNS provider, DKIM can fail even if the mail provider is configured correctly.

A correct DKIM record also helps DMARC pass when DKIM aligns with the visible From domain.

How to check a selector

Use DKIM Checker to test the exact selector and domain given by your email provider.

When checking a DKIM selector, review

These six checks help confirm the selector and public key are published correctly.

Selector

The selector should match your provider settings.

Domain

The domain should match the sending domain.

Hostname

The full hostname should look like selector._domainkey.example.com.

TXT value

The record should contain the complete DKIM public key.

Active DNS provider

The record must be added where the active nameservers point.

Signing status

After DNS is correct, confirm the provider is signing outgoing mail.

Check DKIM selector now

Use DKIM Checker to verify your selector, public key and DNS hostname.

Run DKIM Check →

Common problems

Selector published at the wrong hostname

High

The DKIM TXT record was added at the root domain or wrong subdomain instead of selector._domainkey.example.com.

Next step: Move the record to the exact hostname provided by the email provider.

Wrong selector used

High

The checker or receiver is looking for one selector, but the provider signs with another.

Next step: Confirm the active selector in the provider dashboard or message headers.

Public key is truncated

High

The DKIM TXT value is incomplete because the long key was not copied or saved correctly.

Next step: Copy the full value again and verify public DNS output.

Record added at inactive DNS provider

Medium

The DKIM record was added in a DNS zone that is not authoritative for the domain.

Next step: Check active nameservers and add the record at the live DNS provider.

DNS record exists but signing is not enabled

Medium

The public key is visible, but the mail platform is not signing outgoing messages.

Next step: Enable DKIM signing in the provider dashboard.

Multiple providers use different selectors

Low

Several selectors can exist, but each provider must use its own correct selector.

Next step: Keep provider selectors documented and do not delete active records.

Old selector deleted too early

Medium

During key rotation, old messages or active signing may still depend on the old selector.

Next step: Keep old selectors until the new key is active and mail is verified.

How to fix issues

  1. Step 1: Find the provider’s active selector

    Check your mail provider settings or inspect message headers from a sent email.

  2. Step 2: Confirm the correct hostname

    The DKIM hostname should follow selector._domainkey.yourdomain.com.

  3. Step 3: Copy the full public key

    Make sure the TXT value includes the complete p= key and any required DKIM tags.

  4. Step 4: Publish at the active DNS provider

    Use nameserver checks to confirm where the live DNS zone is hosted.

  5. Step 5: Verify public DNS

    Run DKIM Checker or DNS Lookup to confirm the selector returns the expected TXT record.

  6. Step 6: Enable signing

    Activate DKIM signing in the mail provider dashboard if required.

  7. Step 7: Send and inspect a test email

    Check the message headers to confirm DKIM passes.

Multiple selectors

Yes. A domain can publish multiple DKIM selectors at the same time.

This is common when:

  • Using multiple email providers
  • Rotating DKIM keys
  • Separating marketing and transactional mail
  • Migrating from one provider to another
  • Using Google and Microsoft during transition
  • Testing a new DKIM key before removing an old one

Multiple selectors are normal. The important part is that each sending provider signs with a selector that exists in DNS.

DKIM key rotation

DKIM key rotation means replacing an old DKIM key with a new one. This is usually done for security or provider policy reasons.

  1. Generate a new DKIM key in the provider.
  2. Publish the new selector in DNS.
  3. Wait until the new key is visible.
  4. Enable signing with the new selector.
  5. Send test messages and confirm DKIM passes.
  6. Remove the old selector only after it is no longer used.

Do not delete the old DKIM record before the new selector is active and verified.

Selector example
default
Hostname example
default._domainkey.example.com
TXT value example
v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE
Provider hostname examples
google._domainkey.example.com
selector1._domainkey.example.com
selector2._domainkey.example.com
Check commands
dig default._domainkey.example.com TXT
dig google._domainkey.example.com TXT
dig selector1._domainkey.example.com TXT

These examples are illustrative. Use the exact selector and TXT value from your email provider.

Frequently asked questions

Do I choose the DKIM selector myself?

Usually no. Most email providers generate the selector and public key for you.

Where do I publish the DKIM public key?

Publish it as a TXT record at selector._domainkey.yourdomain.com.

Can I have multiple DKIM selectors?

Yes. Multiple selectors are normal when using multiple providers or rotating keys.

Why is my DKIM selector not found?

Common causes include wrong hostname, inactive DNS provider, DNS propagation delay or a selector mismatch.

Can I delete old DKIM selectors?

Only after confirming they are no longer used by any sending provider.

Does publishing the public key enable DKIM automatically?

Not always. Some providers require you to verify the DNS record and enable signing separately.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.