How to Check DKIM Selectors (Step-by-Step Guide)
Learn how to find and check DKIM selectors, query DNS correctly, and troubleshoot missing or invalid DKIM records with real examples.
Understand what the DKIM selector is
A DKIM selector identifies which DKIM public key should be used to verify a signed email. It forms part of the DNS hostname where the public key is published.
Selectors allow a domain to rotate keys, separate services, or manage multiple signing systems without conflicts.
For example, if the selector is selector1, the DNS record will typically be:
selector1._domainkey.example.comThe receiving mail server extracts this selector from the email header and uses it to look up the corresponding public key in DNS.
How to find the selector from an email
The most reliable way to identify the selector is by inspecting the DKIM-Signature header in an email.
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; ...The s= value defines the selector. In this example, the selector is selector1.
This is the exact value you must use when performing DNS lookups. Guessing selectors is a common cause of troubleshooting errors.
Construct the full selector hostname
Once you have the selector, combine it with _domainkey and your domain to form the full DNS query name.
selector._domainkey.example.comIf this hostname is incorrect, the lookup will fail even if DKIM is configured correctly elsewhere.
What a DKIM TXT record should look like
DKIM records are published as TXT records and contain structured tag-value pairs.
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...Key components include v=DKIM1 for version, k=rsa for key type, and p= for the public key.
The public key is usually very long and may be split across multiple strings depending on your DNS provider.
If the key is truncated or malformed, DKIM validation will fail even if the selector resolves correctly.
How to check a DKIM selector in DNS
To check a selector, query the TXT record for the full selector hostname.
nslookup -type=TXT selector1._domainkey.example.comIf the record is configured correctly, the DKIM TXT value should be returned.
If no record is found, the selector may be incorrect, missing, or not yet propagated.
What to inspect during validation
- The selector hostname resolves correctly in DNS
- A TXT record exists at that hostname
- The record contains v=DKIM1
- The public key (p=) is present and complete
- There are no syntax errors or invalid characters
- The sending platform is signing with the same selector shown in DNS
Common DKIM selector problems
- Querying the wrong selector (most common issue)
- Selector exists in DNS but email is signed with a different one
- TXT record missing or not yet propagated
- Public key truncated due to DNS length or formatting issues
- Multiple selectors exist but the wrong one is being used
- DKIM records published but signing not enabled in the email platform
A practical DKIM troubleshooting workflow
- Extract the selector from the DKIM-Signature header (s= value)
- Construct the full hostname (selector._domainkey.domain)
- Query the TXT record using a DNS lookup tool
- Confirm the DKIM record contains valid tags and a full public key
- Compare the selector in DNS with the one used in the email
- If mismatched, update the sending platform or publish the correct selector
- Re-test by sending a new email and reviewing authentication results
How DKIM selector issues affect deliverability
If the selector cannot be resolved or the public key is invalid, DKIM verification will fail.
This can cause messages to be marked as spam or rejected entirely, especially when DMARC policies are enforced.
Even if SPF passes, DKIM failure reduces domain trust and negatively impacts inbox placement.
Accurate selector configuration is therefore critical when troubleshooting email authentication issues.